When it comes to protecting medical records from loss or theft, healthcare providers have a lot to contend with. Whether employees are moving files to insecure or non-compliant storage sources, or clinicians are taking unencrypted laptops and USB drives to and from work, there are dozens of basic mistakes that can put patient data at risk.
However, while these accidental causes of data breaches are well-known and have been feared for years, they’re not a healthcare provider’s biggest threat – not any more.
Not long ago, the Ponemon Institute published its fifth annual Benchmark Study on Privacy & Security of Healthcare Data. The headline finding? Cyberattacks have overtaken both employee negligence and lost and stolen devices as the most common causes of data breaches in healthcare.
Today, according to the study, almost 45 percent of incidents can be attributed to hackers and malicious insiders. This represents an increase of 125 percent in the past five years since the first edition of the report was released. Moreover, 78 percent of organizations – as well as 82 percent of their third-party vendors – have experienced web-borne malware attacks.
You’d think this upward trend would galvanize the sector to improve IT security knowing that hackers are actively trying to get into their networks and seize their data. However, just 40 percent of healthcare providers say they’re actually concerned about cyberattacks.
It’s a troubling disconnect, not least because the launch of the study was roughly at the same time as the industry’s biggest-ever data breach. In February, healthcare insurer Anthem revealed that its systems had been hacked and information on almost 80 million customers and employees stolen. I suggested in a blog that this might be the start of a trend – a year in which cyber criminals learn the value of medical records, as well as the common weaknesses that make it possible to steal them.
Are you ready to defend and protect your patients’ data?
The sector hasn’t entirely failed to improve IT security over the past five years, even if fewer than half of the organizations in the Ponemon Institute study are explicitly concerned about cyber attacks. “Since first conducting this study, healthcare providers are starting to make investments to protect patient information,” said founder Larry Ponemon in a press release.
However, he added the caveat that these investments must “keep pace with the growing hacking threats.”
So, what should healthcare providers do to defend protected healthcare information (PHI) from cyber attacks? A good starting point would be to think about the following:
- Access controls: One of the modern hacker’s preferred methods is the use of stolen usernames and passwords, including both those that belong to employees and third-party vendors. As such, access to patients’ medical records and other personal information should be provisioned on a needs-only basis, and dynamic, context-aware authorization should be used to combat the risks associated with access attempts from unfamiliar locations and devices. Applications and services that are not necessary for the individual to access for their role should be made effectively “invisible,” to limit access exposure should credentials be stolen –as has been the case in so many breaches.
- Data classification and encryption: One of the most alarming facts about the Anthem breach was that it didn’t encrypt its customer data. In the US, encryption of PHI is mandated by HIPPA. Knowing where patient information exists in systems and taking steps to secure it should be a top priority if healthcare providers are to protect against cyber attacks and be in compliance with strict regulations that come with stiff penalties. Furthermore, it’s also critical to control what even authorized users can do with information – for example should unencrypted PHI be attached to an email? Putting controls in place can prevent those slip-ups that used to be top of mind and protect against insider misuse which has been well-documented in a number of breaches.
- Audit logging: Because medical records are so sensitive, anyone who accesses them should be subject to the utmost scrutiny. Having a clear and comprehensive audit trail allows you to identify when, where and by whom your patient data has been accessed, and raise the alarm if this activity is suspicious. It also ensures that you have the right documentation in the event of an HHS audit.
Protecting patients’ data is of utmost importance – not doing so will harm both the brand and your pocket. Beyond these starting points, healthcare providers should look for solutions that can secure access to the network through to the data stored within it to protect PHI from rapidly growing points of vulnerability.
Learn how Cryptzone’s data security and access control solutions can defend your organization’s information assets from cyber attacks.
The post Warning: Healthcare Providers Cyber Attacks Are Your Biggest Threat appeared first on Cryptzone Insight.
