Cyber crime is becoming a very real threat for organizations across the world.
One industry becoming a cyber criminal’s prime target is the healthcare industry. In 2015, an incredible 100 million patient records were globally breached.
So, it is now more important than ever for organizations to follow the HIPAA security rule.
For this reason, we have chosen to look at how cyber threats impact healthcare providers and what you can do.
The Risk of New Technologies
Many healthcare organizations are experiencing digital transformation.
The integration of new technologies could, unfortunately, result in potential HIPAA data breaches.
Many organizations are adopting electronic health record technology. As a result, protected health information (PHI) is becoming more accessible to providers.
It also means the information may become accessible to hackers or third parties.
If a hacker can gain access to your information, they can also embark on a ransomware attack.
A healthcare organization could face considerable financial consequences, as a result.
The HIPAA Security Rule
The HIPAA security rule protects data in electronic health records.
It has done so since computers were introduced in hospitals in the 1990s.
Its aim is to protect data in electronic health records. Every healthcare organization must adhere to the legal requirements.
HIPAA will issue a public report of fines for any entity that fails to protect PHI.
Read the HIPAA compliance checklist you need to follow.
Social Security Numbers
The data not only includes personal health information. It will also include Social Security numbers.
As the Social Security numbers never change, they can be more valuable to a cyber criminal.
Stealing credit cards is an effective way to gain access to a person’s finances. Yet, the cards will expire or the user will cancel the card.
A cyber criminal can use the Social Security numbers whenever they want, as much as they want.
With the Social Security number, they can:
- Receive medical care
- Order prescription drugs
- Falsify insurance claims
- Open credit accounts
- File fraudulent tax returns
- Gain access to official documents (Passports/driver’s licenses)
Unfortunately, it can play a significant role in identity theft – and it shows no signs of slowing down.
In 2016, cyber attackers were responsible for 31% of all major HIPAA data breaches.
This is an increase of approximately 300% over a three year period.
Every healthcare entity has a legal and moral obligation to meet the HIPAA security rule.
So, healthcare entities have a legal and moral obligation to comply with the HIPAA security rule.
Ransomware is becoming a growing problem for hospitals.
It is also one of the most difficult forms of malware to healthcare IT employees to manage.
All it takes is for one bad document to shut down a computer, as well as cancer treatment equipment.
Once a hacker has gained access to the IT infrastructure, they can hold the data to ransom.
A hospital will have no other choice but to pay the considerable ransom for the release of the data.
It may only take one employee to download a document to open a door to a cyber criminal.
So, it’s vital to provide all employees with HIPAA training to follow the HIPAA security rule.
Do Ransomware Attacks Count as a Data Breach?
Ransomware attacks are not black and white when it comes to the HIPAA security rule.
For example, the hacker might not have accessed the PHI. They may have only encrypted it.
While it was inaccessible to the entity, the cyber criminal did not do anything with the files.
For this reason, the OCR stated each ransomware attack will be individually determined.
An organization will also need to prove there is a “low probability that the PHI has been compromised”.
How to Prevent a PHI Breach
There are many ways you can prevent a PHI breach – and we are going to show you how.
A Risk Assessment
Healthcare entities should conduct a risk assessment using the following four processes:
1: Identify the nature and extent of the involved PHI. Discover the identifiers and the re-identification likelihood.
2: Take the steps to discover the identity of the unauthorized individual who used PHI.
3: Identify if the individuals and facilities had the authorization to view the data. Discover if the PHI was actually received and viewed.
4: Determine the risk level the breach may post to PHI.
Data security should be a big concern for healthcare organizations big and small.
One of the best ways to stop PHI falling into the wrong hands is with data encryption.
This has become one of the most popular security options in healthcare, and for good reason.
Only authorized personnel will be able to access the files. As a result, a cyber criminal will not be able to gain access to the information.
Unfortunately, many entities aren’t investing in data encryption due to a small budget.
A failure to invest in encryption could cost an organization more in the long-term.
Organizations not only need to reduce the scope of HIPAA compliance audits. They need to avoid public disclosures following a breach of the HIPAA security rule.
Encryption can be a great way to reduce the pressure on the IT department. As authorized personnel will need a key or code to decrypt the files.
That means patient and an organization’s information will be protected.
Human error could open the door to a potential cyber attack.
Once the cyber attacker has entered the infrastructure, you might have next to no time to stop it in its tracks.
It’s essential to provide your staff with the appropriate staff training.
This will ensure they are aware of the potential mistakes they could make. They can also learn more about the consequences of those mistakes.
Employee training will make individuals more aware of their behavior when accessing PHI.
It can be one of the best ways to prevent an on-site data breach.
Click here for tips on how to get your employees on board with HIPAA training.
The Exceptions to a HIPAA Breach
There are three exceptions to the HIPAA security breach.
The First Exception:
If the PHI was unintentionally accessed by an employee or authority of a covered entity.
It must be “in good faith and within the scope of authority” to not be a breach.
The Second Exception:
If there was an accidental disclosure of protected health information.
This will not be a breach of the HIPAA security rule if it was disclosed by authorized personnel.
The Third Exception:
If the covered entity or associate believed the unauthorized party could not retain the data.
Want to protect your healthcare organization from breaching the HIPAA security rule? Contact us today for more information or to discuss your requirements.