Healthcare cybersecurity is becoming an increasingly serious topic throughout companies and the public alike. But, what if a data breach meant exposing patients private information and putting that data into the hands of malicious cybercriminals?
That situation is precisely what the Independence Blue Cross (IBC) faced earlier this year. On September 17th, IBC announced that over 17,000 of their customers were affected by a data breach that leaked customers’ names, dates of birth, provider information, diagnoses codes and other data that could be used to steal patients’ identities.
Unfortunately, this incident is far from an unusual occurrence. Many businesses within the healthcare industry see an impact from email hacks, phishing schemes and stolen drives that have leaked hundreds of thousands of healthcare records. Ensure that your establishment’s data does not get compromised by educating and protecting yourself amongst the multitude of strategies that cybercriminals use to acquire such valuable data.
The History of Healthcare Data Security
The days of storing physical medical records are long over. Paper documents are not a sustainable way to compile records due to the incredible amount of files that need processing and ensure easy accessibility. But, how much exactly does the healthcare industry rely on digital outlets to store this vast sea of information?
The growth of storing healthcare data online is expanding rapidly, and 30 percent of the world’s information is solely medical services data. While storing the hundreds of files recorded daily by hospitals around the globe online is a much more efficient way than more traditional methods, it does pose significantly more risks. The healthcare industry is the most sought-after target for cybercriminals. Healthcare also loses the most customers after a data breach. Many view their medical records as sensitive and private data, so it is easy to understand why customers would grow upset and lose trust in their providers if they are not keeping those records secure.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was one step in providing better data security and privacy measures to protect patients’ medical information from various threats. The act poses numerous defenses to safeguard patients’ records which include:
- Title I — Health Insurance Reform: Protects health insurance of those who lose or change jobs and prevents individuals who have pre-existing conditions or specific diseases to limited lifetime coverage limits.
- Title II — Administrative Simplification: Instructs U.S. Department of Health and Human Services (HHS) to uphold national standards from electronic healthcare transactions and requires healthcare organizations to use secure electronic means of accessing health data.
- Title III — Tax-Related Health Provisions: Defines explicit guidelines for the taxation of medical care.
- Title IV — Application and Enforcement of Group Health Plan Requirements: Defines health insurance reform and emphasizes those seeking continued coverage who have pre-existing conditions.
- Title V — Revenue Offsets: Protects those who lose U.S. citizenship and company-owned life insurance.
Overall, HIPPA provides continuous health care insurance for a broad spectrum of individuals. The act also regulates electronic data systems and combats fraud, abuse and waste. It began to see more prominence more recently once data breaches and cyber attacks started happening more frequently using more clever tactics. The changes over recent years account for technological innovation and have begun to cover cloud service providers in addition to a clause that requires health care providers to inform patients when they have suffered a data breach.
Between 2009 and 2017, there have been 2,181 data breaches in the healthcare industry, and 2017 has seen the most data breaches reported by any preceding year. 2018 is likely to surpass that statistic. While a healthcare network breach occurs at least once per day, there are several different common threats that you can look out for so you do not fall victim to a data leak.
Common Threats in Healthcare
Many threats pose a risk to a networks safety, but it may come as a surprise that the most widespread and effective ways of stealing information are not due to some form of advanced hacking by a criminal mastermind. The biggest threats are likely right under your nose or in the palm of your hands.
1. Insider Threats
In the case of IBC, the data breach incident occurred because of an employee in the organization uploaded a file that exposed the information leaked. Whether the upload was intentional or an honest mistake, disciplinary action impacted that individual and the Philidelphia-based health insurance giant as a whole suffered enormous losses by having to offer compensation of two years of free identity protection and credit monitoring for those whose information was leaked.
Employers are not the only ones that can leak this information. Many professionals such as business associates, subcontractors, volunteers, researchers and former employees also usually gain access to networks, email accounts or other data. Those who want to negatively affect an organization can quickly take advantage of this vast network for their own benefit.
Insider threats come in two forms — malicious and non-malicious.
- Malicious threats: The more dangerous of the two, a malicious threat is when someone uses the stolen data to cause deliberate harm to the organization or its customers. Nearly half of insider breaches occur for financial gain due to how valuable protected health information such as social security numbers can be on the black market.
- Non-malicious threats: These types of threats include employees intruding on private medical records they do not have permission to see or the accidental loss and disclosure of private information. The first commonly occurs when a loved one or celebrity admits themselves into the hospital. It can be enticing to look at medical records or patient history of a person of interest. The latter can happen by sharing login credentials, storing those credentials in an unsafe place or falling victim to phishing.
Insider breaches come with even more consequences than might first meet the eye. HIPAA fines healthcare organizations if they compromise patient privacy, and the breach damages the organization’s reputation, causing loss of confidence and patients, and also consuming even more resources by leaving the healthcare organization susceptible to lawsuits.
Healthcare organizations have a difficult time detecting insider breaches. They can often go undetected for months or years, and only a fourth of cases ever get noticed. They are also twice as costly and harmful in comparison to external threats.
2. Malware and Ransomware
Malware is the source of most malicious attacks. It is software meant to disable or weaken a system to allow for a compromise of security. A category of malware called ransomware is growing in popularity. Ransomware prevents rightful users of the network from accessing certain files or their whole system until the victim pays the cybercriminal who staged the attack. This strategy can be very challenging to remove without following the criminal’s demands.
The Hollywood Presbyterian Center (HPMC) fell victim to one of these attacks and saw no other option but to pay the ransom of $17,000 to regain access of their files, and in many instances, the ransom is much more.
Mobile devices are becoming ingrained into our everyday lives. The healthcare industry benefits by making their networks more accessible and facilitating communication between staff and patients. However, this technology also puts a strain on a network’s bandwidth, causing greater susceptibility to viruses and infection such as malware. As more people virtualize their servers and offer more ways to interact with the industry, more threats arise.
How to Protect Against Different Types of Threats: Steps to Data Security
To protect against insider threats, you should use technological solutions, procedures and policies to detect these healthcare security threats quickly after they occur.
The standard approach has four stages:
- Educate: Ensure your employees understand what they are and are not allowed to do with their access to online data systems, and the risks that correlate with patient privacy and data security.
- Deter: Develop policies that detail the rules and repercussions of violating HIPAA and data protection rules.
- Detect: Use technology that aids healthcare professionals in detecting breaches and records logs on who is accessing data and when.
- Investigate: If an establishment falls victim to a data breach, it is essential to study the incident and learn what harm has occurred, identify compromised data and determine what steps should be taken to prevent a breach from happening again.
Following these steps can help your business minimize the risk of a data breach.
1. Employee Training
More specifically than four simple steps, employers should conduct background checks before any new employee joins your team. These checks should include Internet searches for pertinent information about the individual including where the applicant was previously employed, how they portray themselves on social media and the most popular results associated with their name.
HIPAA training is also essential in the healthcare industry. Being confident that your employees know their responsibilities and can adequately abide by HIPAA is critical to stay safe and not face fines or lawsuits. Your employees need to complete this training before you give them any network access. Also spell out the consequences of violating these rules throughout the training.
In addition to HIPAA, you should conduct security awareness training so your staff becomes experts in spotting phishing emails and other web-based threats. Security awareness training also helps employees understand what actions put healthcare data at risk and simulate the strategies that cybercriminals use. The curriculum can also include information to help users understand how to generate a strong password.
Employees should also be urged to report suspicious behavior from their colleagues to upper management. It is an impossible task to govern over an entire network of employees, but if the staff can spot violations of HIPAA rules and changes in behavior accurately, they can play a vital role at stopping a data leak before it is too late.
Information gathered can benefit the organization as a whole by identifying which risky behaviors their employees are doing, and the areas of weakness that need more emphasis in their employee’s training curriculum. The education your staff receives will also pay off by your employees making more knowledgeable decisions on how they are using your company’s database.
2. Manage Network Users
Credentials should also not be given out to just anyone who has a role in your healthcare establishment. Lowering the privileges given to users of the network and keeping the number of users on that network to a minimum can lessen the amount of damage done. Management should also be monitoring employee activity and blocking access to platforms such as social media that is a host for malware that can rapidly spread throughout a network. Network managers should also keep on top of terminating access for users who no longer work for you or require permissions anymore.
While the power to defend against data breaches and phishing scams ultimately lies with employees, technological solutions can be another defense. Software can prevent phishing emails from reaching employees’ inboxes, detect if a breach occurs, enforce the use of strong passwords, among other beneficial capabilities. CYBERShark, BlackStratus’ proven security and compliance platform, is trusted by thousands of those who are affiliated with the healthcare industry and provides the capabilities of security analysts and complex hardware appliances for a fraction of the cost. This cloud-based service allows your business to reduce risk, respond to threats as soon as they surface, and remain compliant with strict healthcare standards.
Many networks are also beginning to adopt two-factor authentication so if a password breach occurs, the hacker still cannot access records or information without a secondary form of authentication. Encryption of networks is also crucial so any stolen or lost devices cannot be accessed and patient data is kept safe.
Reduce the Risk of Data Breaches in Your Network Today
While technology advances and hackers are developing more diabolical ways to access private records, so are the methods of combating these occurrences. Employee training and revamping entire networks are practices that should not take lightly as they can be expensive and time-consuming to implement in a large organization.
The first step, one that can be put in place today, is trying out a free demo of CYBERShark to autonomously monitor your network, report malicious activity and increase profitability while reducing the risk of data breaches in your business. If you have any questions, don’t hesitate to contact us.