It comes as no surprise that cyber intrusions and data breaches are increasing in the industry today given the sophistication in the threat landscape. We have seen catastrophic breaches in the recent times with the likes of Target, Neiman Marcus, Michaels, and many more. While cybersecurity protection looks vulnerable for all sectors – be it retail, financial, manufacturing, or even the public sector – there is more concern for healthcare IT security and data protection. The number of security incidents are on the upsurge for healthcare IT, and according to the breach report by healthcare IT security firm Redspin, HIPAA data breaches have risen by 138% in 2013 over 2012.
FBI ISSUES SECURITY WARNING
In a private notice to healthcare providers, the FBI has issued a warning that the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.
While it’s a good thing that the FBI is focusing efforts to alert healthcare companies on their security policies, it’s also a worrying fact that the state of healthcare information security is in shambles. The recent Verizon DBIR 2014 considers data theft and data loss to be the most popular method of compromising cybersecurity in the healthcare industry in 2013.
PATIENT HEALTHCARE INFORMATION – HIGH ON DEMAND
Experts say that medical information is becoming more sought to hack these days given the different things a hacker could do with this data.
- It’s more difficult to find out that stolen healthcare information has been used when compared to financial records which the hackers use immediately to purloin money
- Criminals also use medical records to impersonate patients with diseases so they can obtain prescriptions for prescription-only medication and drugs
- Stolen healthcare patient data is supposedly costlier in the underground crime market in comparison with credit card records
Take a look at this lit from hhs.gov on all recorded healthcare breaches in the US: https://ocrnotifications.hhs.gov/iframe?dir=desc&sort=affected_count
The recent St. Joseph Health System breach revealed that the Texas hospital exposed up to 405,000 past and current patient records which also included employee and employee beneficiary information. Healthcare IT just keeps getting assailed by cyber criminals, and they are just not able to set up the right security defense for information security. Breaches don’t only impact the healthcare institution with the stolen records. There are other implications including compliance violation and penalties, reputational loss, and lawsuits which can take a bigger financial toll.
FINES FLYING HIGH
The New York-Presbyterian Hospital and the Columbia University Medical Center have agreed to pay the largest-ever HIPAA violation settlement, totaling $4.8 million, in response to a joint data breach report submitted by the affiliated healthcare institutions in 2010 that reportedly exposed the electronic protected health information (ePHI) of 6,800 patients. Earlier in 2011, Mayland-based healthcare-provider Cignet Health faced a massive $4.3 million fine HIPAA violation.
WHAT CAN HEALTHCARE IT DO TO IMPROVE CYBER DEFENSE?
Well, healthcare IT teams can start with risk assessment. If you are responsible for IT security in a healthcare organization, answer the following questions first:
- What data do I store in my systems?
- Do I know the existing vulnerabilities in my system?
- What protection mechanism is in place?
- Do I have governing policies to secure IT assets?
In case of a breach,
- Do I have a threat/breach detection system?
- Do I have a breach containment mechanism?
- Do I have a response plan and automated remediation in place during a data breach?
If you are complying with regulatory requirements such as HIPAA and HITECH,
- Have I reviewed HIPAA and HITECH guidelines and requirements?
- Have I the right measures and policies in place in conformance with compliance norms?
Once you have understood the state of risk to IT infrastructure, find out cost-effective options to enhance cybersecurity and network defense. Read this free white paper to understand more about healthcare IT security and risk management.