Healthcare Data Security: It’s Not Getting Any Easier

More than 27 million patient records were compromised in reported healthcare data breaches in 2016 – and cyber criminals are to blame for the vast majority.

Some of those incidents hit close to home. Two of the largest breaches reported in 2016 took place in Fort Myers, Florida. In one incident, 21st Century Oncology reported that an “unauthorized third party” had accessed the records of 2.2 million individuals. In the other incident, more than 480,000 records from Radiology Regional Center were compromised when they fell from the back of a waste management truck.

The largest incident reported in 2016 affected 3.7 million individuals at Banner Health in Phoenix, Arizona. Cybercriminals targeting payment card data breached computer servers at the health system, affecting patients, health plan members and food and beverage customers and providers, and showing that the threat of targeted attacks in the healthcare industry prevails.

So far, 2017 is looking like another significant year for healthcare cyber security, as large data breaches and penalties have occurred for health systems.

There were a few other notable cyber security developments in the healthcare industry last year:

  • The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced the first HIPAA enforcement action for lack of timely breach notification; Presence Health agreed to settle for $475,000
  • OCR released new guidance on HIPAA and cloud
  • OCR began Phase 2 of the HIPAA Audit Program

As cyber criminals become increasingly sophisticated in their attacks and regulators increase enforcement, healthcare organizations must become more vigilant in protecting their data. Without enterprise risk controls, the ability to identify vulnerabilities and create quality of service (QoS) thresholds may be limited.

My colleague, Jorge Rey, CISA, CISM, CGEIT, director of information security and compliance at Kaufman Rossin, says “when properly implemented, a multi-layer defense system can help to mitigate an organization’s exposure and risk of a data breach.”

Here are a few of his recommendations for building a cyber security defense system:

  • Train employees on IT security best practices and how to recognize phishing scams
  • Restrict access to sensitive data, including protected health information (PHI)
  • Implement firewall and other technical controls
  • Set up reliable backups and redundancies
  • Create an incident response plan

To learn more about protecting your healthcare organization from cyber threats, contact a firm with expertise in information security and experience serving healthcare clients.