The breach of a healthcare organization’s confidential data or the personal health information (PHI) of its clients or patients causes justifiable alarm throughout the healthcare industry. But, cyberattacks are not just a problem facing this sector—all industries are targets for increasingly sophisticated hackers.
October is National Cyber Security Awareness Month (NCSAM), a campaign designed by the National Cyber Security Alliance to educate consumers, businesses and educational institutions about cybersecurity. Every October, the alliance publishes tools and resources about staying safe online and the best way to respond to a cyberattack.
As recently as last Friday, many popular websites including Twitter, Netflix and PayPal were compromised after the servers at Dyn, a major internet management firm, were hit by several cyberattacks. “It doesn’t look like a kid in a basement with a laptop,” CBS News’ homeland security correspondent Frances Townsend said of the attack. “It looks more sophisticated.”
The number of healthcare attacks over the past five years has increased by 125 percent, according to a 2016 survey from HIMSS Analytics, the research arm of the Healthcare Information and Management Systems Society, and security firm Symantec.
This year alone, 142 data breaches involving more than 500 records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), according to HIPAA Journal. While not all data breaches may have made it onto the OCR breach portal yet, current reports show how healthcare records are being exposed. Here’s the breakdown:
- 48 data breaches were reported as unauthorized access
- 43 data breaches were attributed to hacking or network server incidents
- 37 breaches were caused by the loss or theft of devices used to store ePHI or the loss/theft of physical records
- Four breaches were due to the improper disposal of records
In terms of the records that were stolen or exposed:
- 60% were due to hacking (2,703,961 records)
- 78% were due to loss/theft (1,342,125 records)
- 6% were the result of unauthorized access or disclosure (342,748 records)
- 63% were the result of improper disposal (118,594 records)
“The speed of these attacks and the volume with which they’re occurring is increasing significantly,” said James Trainor, assistant director at the FBI’s Cyber Division, in his address to HIMSS 2015 attendees. As the threats to the breach of healthcare information continue to grow, organizations must improve their defenses and make it harder for hackers to succeed by following these tips, developed by HIMSS North America and the National Cyber Security Alliance.
Regularly conduct accurate and thorough risk assessments. Risk assessments should be conducted or reviewed at least once a year, if not more frequently. Understand the IT environment and identify risks through analysis. Gauge the probability and impact of risks, prioritize the risks, and address them according to priority. Consider leveraging established cybersecurity frameworks.
Be prepared for natural and manmade disasters. Ready your organization for extreme weather, ransomware and other disasters. Address these risks in your risk assessment. Consult resources such as FEMA and the National Cyber Incident Response Plan for information on how to prepare and respond.
Encrypt data at rest and in motion. Encrypt databases and other sensitive data, whether it is being stored, transmitted or received. Use the appropriate encryption algorithm, key length, and practice good key management.
Use multi-factor authentication. Use two different factors of something you know, have, and are. Consider privacy, usability, and security when selecting which factors to use. Safeguard your factors to make sure no unauthorized person gets access to them.
Secure all wireless communications. Only connect to authorized wireless access points with an up-to-date authentication protocol. Avoid rogue wireless access points and only use authorized wireless access points. Allow only authorized users and devices on the network.
If you see something, say something. Report suspicious or unusual activity to your organization’s IT department. Ensure your organization has an incident response plan with procedures for reporting incidents to law enforcement authorities.
Educate the workforce. Educate the workforce on how to make good decisions to help improve the security posture of your organization. Train employees on good security hygiene. Explain why good security matters to the organization and how everyone can help make the organization’s data more secure.
Cultivate corporate culture to embrace cybersecurity as a business enabler for the organization. Align the cybersecurity program with the business objectives and mission of the organization and have an acceptable use policy to set expectations. Make sure that security measures do not degrade the quality and efficiency of patient care.
The challenges of data security will increase in the coming years, but by implementing stronger security practices, raising awareness and training employees, healthcare organizations can be more resistant to cyberattacks.