How Can You Protect Patient Data from Growing Cyber Threats?
It seems like every day there is news that another major corporation was hacked and confidential information was stolen from its systems.
Medtronic Inc., one of the world’s largest medical device makers, recently announced that its system was hacked in an attack that is believed to have originated in Asia. Although the company reported that no medical records were stolen in that attack, it also reported a separate cyber incident in which Medtronic’s diabetes business unit lost an undisclosed number of patient records.
Health data breaches on the rise
The number of known healthcare-related breaches is increasing every year. More than 29 million patient records have been compromised in HIPAA data breaches since the U.S. Department of Health and Human Services started tracking reported breaches on its website in 2009.
“The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014,” according to Experian’s 2014 Data Breach Industry Forecast.
Cybercriminals are increasingly targeting the valuable personal information stored by healthcare organizations. Healthcare organizations experienced more cyber attacks than any other industry in 2013, according to The Identity Theft Resource Center, a nonprofit organization that tracks data theft. This is partly because healthcare organizations have been storing more and more information in electronic format since the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009. The HITECH Act has been transforming the healthcare industry by increasing the use of technology to drive improvements in quality, safety and efficiency.
Additionally, healthcare organizations such as hospitals, physician practices and other providers are relying more on third-party business associates, and much of the data exchange takes place in the cloud. Many business associates have weaker information security systems than the healthcare organization that they interact with. Gaining access to a business associate’s IT systems can open a back door for hackers that may make the healthcare organization vulnerable. These vulnerabilities can lead to theft of patients’ medical and financial information.
What is the risk for healthcare organizations?
The costs involved in responding to a data breach can be significant, and the damage to reputation may be even greater. Beyond that, healthcare organizations and their business associates may incur significant penalties for not complying with the regulations of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
New York-Presbyterian Hospital and Columbia University Medical Center made headlines in May when they agreed to pay a combined $4.8 million fine –the largest to date – to settle alleged HIPAA violations. This fine, which resulted from a 2010 data breach in which the electronic protected health information of 6,800 patients was exposed on Google, underscores the need for healthcare organizations to be vigilant in safeguarding patient data if they want to avoid harsh penalties.
How can you minimize your risk of a data breach?
So how can healthcare organizations protect themselves and their patients from cyber threats? The following steps will help you get started.
- Assess your risk. Complying with HIPAA requirements is the first step. This includes performing a robust information technology risk assessment to understand your organization’s vulnerabilities and potential threats. Analyzing your risk can be a helpful starting point, providing a roadmap for improving data security.
- Stay informed. Organizations need to stay informed of the latest trends in cybersecurity. This includes improving the monitoring of data access and network traffic to identify unusual data usage patterns.
- Hold vendors accountable. You should also develop and implement strict vendor management programs. Many organizations have lengthy business associate agreements but fail to adequately hold vendors accountable for the security of patient information. Outsourcing services does not mean you outsource the risk.
- Train employees. One other area that has always been important, but is often not done well by organizations, is training employees on their role in network and data security. The best technology in the world is worthless if your people are not properly trained. Training should include teaching employees how to recognize certain risks, including phishing attacks, and how to respond if anything unusual is detected.
Cyber threats may be scary, but you don’t have to go it alone. A qualified IT security consultant can help you monitor the latest threats and stay abreast of best practices for protecting information and preventing a healthcare data breach.
To learn more about protecting your healthcare organization from cyber attacks and other security risks, contact me or another member of Kaufman Rossin’s risk advisory services team.
Tyler Quinn, CISA, CPA, is a Assurance & Advisory Services Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.