Healthcare is a popular target for cybercrime. As noted by news agency Fierce Healthcare, 32 million patient records were breached in 2019, more than double what was compromised in 2018. This should come as no surprise to anyone who’s been paying attention.
The problem is that it seems like many healthcare providers and covered entities aren’t. There are still far too many agencies who take a lax approach to cybersecurity, and it’s the patients who end up paying for it. That there have been so many healthcare breaches in just the past several years alone is unacceptable, never mind the fact that, in many cases, these breaches were due to insufficient security.
It’s time healthcare organizations started paying attention – here are a few lessons they need to learn immediately.
You Are A Target – Even if you Think You Aren’t
Health data is extremely valuable to criminals. As noted by cybersecurity agency Trustwave, a single health record may fetch up to $250 on the black market. The next-most-valuable asset, a payment card, averages about five dollars.
There exists a multitude of ways for criminals to monetize health data, from identity theft to medical fraud to extortion.
Your organization needs to educate staff about proper security hygiene and risks such as phishing and ransomware. You need to ensure your IT department has the necessary budget to keep digital assets safe. And perhaps most importantly, you need to implement measures such as multifactor authentication and acceptable use policies.
Audit, Store, and Secure Your Systems
The financial industry, which is also targeted with considerable frequency, provides an excellent example that healthcare providers might follow. First, you need to start with a security housekeeping audit and risk assessment. Figure out where your sensitive data resides, who has access to it, and what threats exist around it.
Bring in a third-party analyst to do this if you lack the in-house expertise.
From there, it’s time to start locking things down. All patient data should be locked behind multi-layered encryption, with access both comprehensively tracked and severely limited. This also applies to financial records and employment data.
Everything from edits to file transfers to requests should be logged, and these logs should be easily auditable and searchable. It is also worth your time to invest in both a traditional antivirus solution and a proactive, AI-driven threat detection platform. The sooner you can detect potential threats to patient data, the better.
On the other side of the coin, you need to evaluate your security policies and processes. Require frequent security training for all personnel and institute limitations on personal devices in the workplace and infrastructure that allows you to manage and monitor work devices. You might also consider incorporating biometric or device-based authentication in lieu of passwords, as they are often inherently insecure no matter what measures you take.
Invest in Cyber Insurance
Cyber insurance is already widespread in both the finance and technology fields. Healthcare needs to get onboard. Hospital directors and other leaders who make budgetary decisions may not be aware that cybersecurity insurance exists, as it’s relatively niche – but they need to be made aware.
Work off of your security audit and risk assessment to determine who your policy should cover, who is responsible for paying the premiums, and what level of coverage your institution requires. There are many HIPAA-compliant cyber insurance providers already on the market. Do a bit of shopping around, and find one that works for you.
A Changing Landscape
Care providers must understand that they can no longer afford to be lax where cybersecurity is concerned. The game has changed, and every organization in the industry, from the smallest clinic to the largest hospital, is now a target. Failure to acknowledge this is more than a technological failing – it’s an indication that you do not take the privacy and well-being of your patients seriously.