Cybercrime: A Costly Attack on the Healthcare Industry
Cybercrime doesn’t take a break. During the peak of the COVID-19 pandemic in 2020, cybercrime complaints rocketed from 1,000 to 3,000 to 4,000 daily, and one report found a 580 percent surge in ransomware attacks on the global healthcare sector.
This isn’t an issue that’s improving for the healthcare industry. In August of this year, there were 38 healthcare data breaches of 500 or more records reported by providers, resulting in a total of 5,120,289 records breached.
Cyberattacks are the fastest growing crime in the United States, and healthcare is the second-most cyberattacked industry. One-third of all data breaches in the U.S. occur in hospitals, a problem that can result in costly downtime, a damaged reputation and assorted fines. The diminished provider reputation might not sound too consequential, but patients who trust their health systems to protect their data likely receive better outcomes.
Breaches occur through a variety of incidents, including stolen devices, hacking, human error and negligence and cyberattacks. Only about half of data breaches are the result of criminal or malicious intent. In the healthcare industry specifically, much of cybercrime is attributable to outdated IT systems, fewer cybersecurity protocols and reduced IT staff.
Why is the healthcare industry so susceptible to cybercrime? A big reason is the multiple standards and regulations with which providers and other healthcare entities must comply. This includes the Health Insurance Portability and Accountability (HIPAA) Act, Health Information Trust Alliance (HITRUST) Service Organization Control (SOC), the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Payment Card Industry Data Security Standard (PCI-DSS).
Criminal HIPAA violation penalties range from a fine of $50,000 and up to a year in prison to $250,000 and up to ten years of jail time. Civil penalties vary from $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations, to $50,000 per violation, with an annual maximum of $1.5 million.
Another potential security hurdle for healthcare providers is the use of protected (or personal) health information (PHI). PHI that is stolen can be a dozen times more valuable on the black market than credit card information.
The Use of Cloud Computing for Improved Compliance
Some healthcare entities utilize cloud computing to achieve increased security, improved agility, scalability and reliability, enhanced disaster recovery capabilities and less risk of costly downtime. By employing the technology for electronic medical records (EMRs), mobile health (mHealth), patient portals, data storage and more, they have on-demand access to IT services and infrastructure, access to data from anywhere and the ability to more easily share with patients important information on preventative care, medication adherence and post-hospitalization care plans.
Cloud technology isn’t a panacea for healthcare providers attempting to prevent cyberattacks, though. Failure to meet cloud compliance standards can result in regulatory fines and even lawsuits. Plus, providers are responsible for ensuring compliance for their own data, even if they employ the services of a cloud provider with qualifications to do so.
Cybersecurity Best Practices for Healthcare Providers
Developing and implementing strategies to mitigate cybercrime is essential – and attainable – for healthcare providers, from solo physician practices to medical groups, large health systems and federally qualified health centers (FQHCs). The first component is creating and documenting detailed policies and procedures for achieving compliance, regularly checking that they’re up-to-date and routinely testing them.
Another crucial part of a sound cybersecurity strategy is conducting a comprehensive risk assessment. According to the National Institute of Standards and Technology (NIST), the steps for a healthcare risk assessment management should include:
- Categorizing information systems
- Identifying and implementing security controls
- Accessing, monitoring and adjusting security controls
- Authorizing information systems
- Monitoring and adjusting security controls
As noted by NIST, monitoring security controls are an important component of the risk assessment process. This includes controlling and regularly reviewing access to PHI. Access to PHI within a healthcare provider team should only be given to employees when it’s necessary for them to perform their job.
Healthcare providers should continually educate and train their staff on cybersecurity, especially when a new employee joins the team. This training should cover the risks of using a USB drive from an unreliable source, password practices and ways to identify emails with infected links or attachments that might contain ransomware.
Perhaps the most complex part of implementing a strategy to prevent cybercrime is ensuring that the technology used by the provider and staff is adequately protected from hacking, ransomware and other types of cyberattacks. We recommend some or all of the following actions:
- Verify that PHI and other data is encrypted properly; HIPAA requires data stored on a hard drive to be encrypted and accounted for 24/7.
- Implement and manage proper endpoint security, making sure software is up-to-date and operating systems aren’t left unpatched.
- Ensure all smart medical devices are monitored and contain firewalls and anti-virus protections.
- Require vendors with whom you partner to verify the risk assessment and management policies and procedures they use.
- Back up data routinely.
- Consider using two-factor authentication and single sign-on (SSO).
- Require employees working remotely to connect to your network through a virtual private network (VPN) to ensure their internet traffic is encrypted.
- Ensure remediation plans are implemented for user authentication deficiencies and prohibit employees from connecting to public Wi-Fi networks using a device with access to PHI.
- Verify that the service level agreement (SLA) you have with your cloud service provider includes specific information on how that entity proactively meets requirements for cloud compliance.
At Epion Health, we are committed to data security and privacy. Our powerful platform helps healthcare providers deliver care that’s secure and reliable and makes it easy to connect securely with patients any time, from anywhere, at all points along the care journey. Schedule a meeting with us to learn more!