Skip to main content

An Alert to the Healthcare Providers: Cyber Attacks Are Closer Than You Think

There have been several healthcare data breaches that have made the mainstream news: in February 2016, Hollywood Presbyterian Medical Center paid $17,000 in ransom to hackers who infiltrated and disabled its computer network; in February 2015, Anthem Inc., the second-largest U.S. health insurer was hacked, causing the breach of 10.4 million records; and in July 2015, UCLA Health reported an attack resulting in a data breach that affected 4.5 million people. These staggering numbers have sounded a major alarm on the cybersecurity issues in the healthcare industry.

Patients, insurers, and employees are most impacted by these breaches. In the cases mentioned above, hackers have stolen a significant amount of important HIPAA-related information like names, addresses, Social Security numbers, medical information, and health insurance information, which can be used for illegal and criminal purposes in the victim’s name. As data keepers, hospitals and healthcare providers need to take action in order to prevent security breaches.

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.

Here are some methods that can lower the risk of data breaches at your healthcare facility:

Take a Cyber Risk Assessment

In a recent interview with Databreachtoday.com, Tom Andre, Vice President of Information Services at the Cooperative of American Physicians suggests: “Conduct a cyber risk assessment. Take a look and get an idea of the type of attacks likely to happen to your organization, what it would cost you if you were breached and protected health information was compromised... and your facility had to shut down for a couple days?”

The types of data attacks vary and depend on several factors: the scale of your business, the security system you have, and the scope of your database. Whereas hospitals usually have a designated IT staff, healthcare organizations, especially small ones, may not have certain systems in place. Therefore, taking a cyber risk assessment can help you understand what could possibly happen, and in turn, how you can protect yourself.

Encrypt the Data

Encrypting important data can protect the information:  even if hackers manage to breach the hospital’s or physician practice’s system, they won’t be able to read or use encrypted data. In fact, in the Anthem breach, only unencrypted data was stolen.

Moreover, according to a breach report by California Attorney General Kamala Harris, organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers as well. This is a particular imperative for healthcare, which appears to be lagging behind other sectors in this regard. In the report, Ms. Harris also mentioned that healthcare was experiencing a much higher rate of breaches of stolen equipment containing unencrypted data than other sectors. In 2012, 68 percent of healthcare breaches were the result of stolen or lost equipment, compared to 21 percent of breaches in all other sectors. In 2015, 39 percent of healthcare breaches were of this type, while in other sectors it accounted for just 13 percent. Encryption can be a final safe guard.

Multi-Factor Authentication Can Help

The breach report also recommends making multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. Usernames and passwords are not as secure as most of us think they are, as this information is very easy to obtain. Adding various types of authentication requirements can largely increase the difficulties in stealing online accounts from the hospital’s or practice’s website, patient portals, and web-based email accounts.

As Tom Andre emphasizes in his recent interview, only taking one or two precautions is not enough. Successfully combating data breaches is an extensive process, which calls for the attention of everyone from management to the technical department, employees and even patients. With the entire team joining forces, healthcare organizations will eventually be able to build a stronger information safety environment. 

 

Author Ann Whitehead, RN, JD, is Vice President of Risk Management & Patient Safety at the Cooperative of American Physicians, Inc. (CAP) in its CAPAssurance, A Risk Purchasing Group, program that offers hospitals, large medical groups, and other healthcare facilities access to top-rated liability protection and risk management services.