3 Ways Healthcare Organizations Can Secure Their Protected Health Information
If healthcare providers value PHI, how can cybercriminals steal them so easily? Here, Hoala Greevy, Founder and CEO of Paubox, discusses common PHI security vulnerabilities, how legacy systems cause problems, and why only compliance with minimum HIPAA requirements affects your ability to avoid and respond effectively. to violations.
Cybercrime has been a hot topic lately. It appears that cybercriminals steal large amounts of Personally Identifiable Information (PII) on a daily basis, such as full names, phone numbers, and addresses. And the criminals profit from their shots.
But there is another kind of data that is much more valuable. Protected health information (PHI) is worth 8,300 times more by datasheet on the black market than PII. When cybercriminals obtain PHI, they can steal prescription drugs, target victims with scams that take advantage of their medical conditions or victims’ settlements, and create bogus insurance claims.
Patients trust healthcare organizations with their private information, but twenty-four million Americans had their PHI stolen in 2020. Losing PHI isn’t like losing other personal information – patients can’t just change their prescriptions like they can change a credit card number.
With millions of dollars in profits to be made, cybercriminals have made healthcare organizations a prime target. In addition to reputation damage, the average cost of a health data breach in 2021 is $ 9.23 million. This estimate does not include additional Civil Rights Office charges for HIPAA violations. Securing PHI should be a top priority for every healthcare company.
So what are the vendors doing wrong? While every organization is different, there are some common themes. Sometimes PHIs aren’t properly secured because a business chooses to only meet minimum HIPAA requirements instead of keeping up with ever-changing threats. Or a hospital may not discover or respond to a breach quickly enough, leaving it vulnerable to attack. Learn more about these vulnerabilities and how covered entities may respond.
1. Organizations do not properly secure RPS
Healthcare providers are responsible for properly securing electronic PHIs (ePHIs), but they often rely on external vendors to manage the details of their IT systems. When new needs arise, organizations recruit more business associates to meet those specific requirements. Over time, this approach results in a patchwork of existing IT systems that do not adapt to new technologies at the same pace.
Long-term contracts with vendors can force healthcare companies to use outdated software that becomes increasingly difficult to patch and easier to operate over time. For example, in the first quarter of 2021, a security hole in Microsoft Exchange servers leads to a breach of the systems of more than 30,000 organizations. And more violations are likely to occur. A recent poll found 71% of Windows devices deployed in healthcare facilities run versions of software that Microsoft no longer supports. Without critical security updates, these devices are vulnerable to cyber attacks.
Solving this problem is not as easy as consolidating business partners. Contracts are often difficult to break. And the patchwork of suppliers means that each department in the company often uses its own system. This means that there is no central control over how these systems interact with each other. Instead of managing a central operating system, health data administrators look after systems on an individual basis, resulting in protection failures that cybercriminals can exploit.
A centralized, cloud-based system is essential for eliminating protection gaps and ensuring the security of PHIs by giving data administrators a central view of the systems within an organization. If a violation persists, administrators can more easily see who accessed the files and contain the problem more quickly. The best systems will use the Zero Trust security model, which requires all users to be authenticated, authorized, and continuously validated before gaining or maintaining access to a network or data.
See more : 5 ways cybersecurity may change in 2022
2. Suppliers do what is required for HIPAA compliance – Nothing more
Healthcare is a complex bureaucratic system in which leaders must navigate with limited resources. This leads healthcare companies to meet only the minimum requirements of regulations such as HIPAA. But stretching the dollars on security means organizations are resorting to a less than effective security system.
The HIPAA privacy rule requires vendors to put in place strict administrative, technical, and physical safeguards for PSRs. HIPAA classifies its regulations as “required” or “addressable,” which can be confusing. For example, HIPAA considers email encryption to be “addressable”. Vendors who choose not to use email encryption should document their rationale and implement an equivalent solution to protect RPS. Since there is no other method of securing email data other than encryption, this is basically a requirement.
While HIPAA doesn’t officially require encryption, not using it leaves patient data at risk. For example, email data breaches are an increasingly popular cybercrime tactic; 188 email violations occurred in 2020, a 17% increase of the previous year. Meeting the minimum requirements of HIPAA is not a requirement for ensuring data security.
Going beyond minimum compliance by implementing email encryption mitigates the risk of breach. But healthcare companies also need to train their staff to recognize cybersecurity threats. Untrained employees give cybercriminals more access points to infiltrate a network and steal PHI. In fact, human error explains 33% of health problems Last year.
3. Suppliers do not respond quickly to violations
Health data administrators often look after each departmental system individually. The large number of applications used and the lack of dedicated staff means that systems can go unchecked for an extended period of time.
As a result, breaches typically go unnoticed for weeks or months: the average security breach goes unnoticed for 280 days. Once detected, system administrators must spend hours investigating individual applications and servers to find out how unauthorized entry occurred, which records were compromised, and how to stop the violation.
Administrators also face old, non-integrated data systems that they have to update manually. These challenges mean that the breach containment process can take an organization more than 65 days complete. Meanwhile, hackers are wreaking even more havoc.
Manually managing the system leaves room for error and increases the time it takes to recognize and stop a violation. In contrast, companies using a centralized cloud environment can automate security policies across the infrastructure. A single modification of an automation script can fix hundreds or even thousands of complex systems without downtime. Administrators can then focus on more important tasks, such as detecting potential violations much earlier.
See more : Zero Trust Approach Can Defend Against IoMT Device Attacks for Healthcare Organizations
How to stop hackers in their tracks
Data breaches decreased in the first six months 2021. However, the healthcare sector still reports the highest number of violations of any sector year over year. Simply put, meeting minimum HIPAA requirements isn’t enough to keep a healthcare business flawless. Cybercriminals keep abreast of trends and known security holes to target their next victim, even as the industry tries to transform and adapt.
The covered entities are solely responsible for the protection of the PHI of their patients. They must take action to deter criminals. Updating existing IT systems to the cloud, implementing system automation, and properly training staff helps organizations secure valuable data, maintain email security, and respond more efficiently. threats.
Did you find this article useful? Tell us what you think LinkedIn, Twitter, Where Facebook. We would love to hear from you.