By Andrew Mikhailov, CTO at Zfort Group
Businesses face the risk of severe cyber-attacks – the present-day cyberspace criminals are well-organized, thoughtful, and marketable. And one of the most sensitive sectors exposed to privacy risk is the healthcare system. If hackers manage to get in, they would have access to patient health data, which they could sell to global entities with evil intentions.
About 15% of all data breaches in 2019 involved the healthcare system. As a result, the estimated losses for this industry in 2019 reached $25 billion. “Over the last three years, the number of breaches lost medical records, and settlements of fines is staggering. During this span, nearly 140 million medical records were involved in a privacy breach“, – writes Eric Thompson, a cybersecurity leader in his book.
In 2019, an Israeli cybersecurity center found a computer virus that added tumors into MRI and CT scans. This malware could also remove actual malignant growths from image files to prevent patients from getting the care they need. The researchers showed the safety holes to sow doubt about the health of government figures, commit insurance fraud, or be part of a terrorist attack.
In this situation, basic security tools such as antivirus or firewalls are no longer making the cut. Healthcare information security obeys data protection laws, particularly the Health Insurance Portability and Accountability Act (HIPAA) applies in the US.
If a data breach occurs, HIPAA regulation presupposes financial and criminal penalties. HIPAA outlines requirements to keep the personal health information of clients and patients safe.
What Does HIPAA Protect?
An average incident costs a company about $6.45 million. Thus, organizations should consider both whether they are compliant and whether all the risks are considered. Generally speaking, HIPAA restricts uses and disclosures to healthcare operations, the provision of treatment, or payment for healthcare unless the patient agreed to provide information to a third party, and HIPAA gave authorization.
HIPAA Security Rule ensures the confidentiality, integrity, and availability of health information. Its Privacy Rule directs the uses and disclosures of health information (the HIPAA Privacy Rule). Thus, these elements help Covered Entities and their Business Associates to protect Electronic Protected Health Information (ePHI). The US Department of Health and Human Services (HHS) outlines who HIPAA refers to in its definition of a Covered Entity.
The HHS Office For Civil Rights (OCR) manages HIPAA. They conduct audits to ensure compliance with the Covered Entities and businesses that control medical data. HIPAA audits are conducted to track progress on compliance and to identify areas to improve.
These protected records include diagnoses, treatment information, test results, medications, health insurance ID numbers, and other identifiers. HIPAA also covers contact information, including phone numbers, addresses, email addresses, birthdates, and demographic information. So, while the OCR prepares for the next HIPAA audits, businesses ought to make sure they are ready.
Why HIPAA Needs Cyber Security?
HIPAA Security Rule specifies that Covered Entities need to establish and maintain protections for ePHI. Moreover, protection must defend the organization against breach through any physical, administrative, and technical means. The rule mandates that HIPAA-compliant organizations:
- All the health data sent, stores, received, or produced has strong confidentiality. It means that it can be available only to authorized people to access, change, or remove it. The data should also be always available for authorized individuals.
- Threats to data integrity or security should be predicted whenever possible. Organizations should defend against any information disclosure or use not allowed by HIPAA.
- Verifying that the workforce complies with this law is also a business’s responsibility.
Under this regulation, companies will need to implement technical and procedural checks to protect this information and perform risk analysis on risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Technical controls include such things as encryption, authentication, password complexity, access auditing, and segmentation. Procedural controls normally include password policies, incident response plans, contingency plans, and audit procedures.
Nowadays, healthcare information is part of the Big Data revolution and exists in a range of different digital ecosystems. In the healthcare industry, patients use wearables and implantable IoT medical devices such as heart monitors and pacemakers. With all these items now connected to the Internet, the data gets exposed to cyberattacks.
With the number of IoT devices increasing every year, most of them do not have endpoint security. That being said, it is vital to have a plan to protect your company’s HIPAA data. One of the major security issues is how the device collects the information and then transmits it to the hospital. From an ePHI and HIPAA compliance viewpoint, this is a risk your business must understand and develop a protection strategy.
As we can see, cyber security and HIPAA compliance are strongly connected. Unfortunately, being HIPAA compliant does not make your organization safe from cybercriminals. At the same time, having a robust cyber security program does not make you HIPAA compliant as well. Your business needs a comprehensive HIPAA compliance and security provider to guarantee your patients’ data’s genuine security.
The industry should develop a holistic strategy for healthcare security, including administrative, physical, and technical safeguards.
Strategies for Improving Cyber Security
HIPAA rules are not enough to resist cybercrime. Looking at precisely what this law requires, it doesn’t necessarily align with cybersecurity best practices. Besides, healthcare organizations shouldn’t see cybersecurity and HIPAA compliance as separate components, but rather as two concepts working parallel to one another. In fact, a robust cybersecurity program supports compliance.
To ensure cybersecurity in healthcare and prevent sophisticated attacks, healthcare organizations can implement the following practices:
- Review your current security risk analyses and identify gaps and areas for improvement. Check that risk analysis is documented to guarantee regulatory compliance, enhancing the risk analysis’s attorney-client privilege.
- Assess risk management plans to make sure that measures to reduce vulnerabilities identified. Adopt the best practices used in healthcare. It’s a must to use unique IDs, strong passwords, role-based permissions, auto time-out, and screen lock.
- Compare HIPAA and other cyber-related policies and procedures against legal and regulatory obligations, and ensure they are updated based on the results of your most recent risk analysis.
- Expect the unexpected. Prepare safety incident response plans that meet HIPAA requirements and other applicable laws for your business to be ready to respond to a possible data breach. Besides, leave some room in your strategy for the unexpected. This could include everything from hacker attacks to natural disasters, threatening your healthcare records, and other vital assets.
- Create backups and develop a recovery plan. While creating backups seems like a common-sense thing, it can be missed in a small practice environment. Ensure that the medium used to store your backup data is safe and cannot be wiped out by an attack that would take down your office systems.
- Make additional investments in people, processes, technology, and management. Defending digital assets can no longer be delegated solely to the IT staff. Instead, security planning needs to be blended into new product and service, security, development plans, and business initiatives.
You can’t afford to neglect cybersecurity or compliance. That is why it is critical to match them together in a secure network that protects your patients and your reputation.
About the Author
From 2017 as a CTO at Zfort Group, Andrew Mikhailov concentrates on growing the company into the areas of modern technologies like Artificial Intelligence, BigData, and IoT. Being a CTO, Andrew doesn’t give up programming himself because it is critical for some of the projects Andrew curates as a CTO.
Andrew LinkedIn: https://www.linkedin.com/in/andrew-mikhailov-66571912/
Contact Andrew: email@example.com