As a healthcare provider, you are responsible for providing the best possible care to your patients. In order to do so, you gather important details about them. Therefore, you are also responsible for protecting your patients’ sensitive information. This includes, but is not limited to, demographics such as birth dates and social security numbers, financial data, or health information such as medical conditions and test results.
Recently, Quest Diagnostics was in the news for a data breach affecting 12 million of their patients. This is just the latest in a series of several major security breaches in recent years. Although the Quest breach affected American Medical Collection Agency, a third party billing service employed by Quest at the time, it is Quest’s business reputation on the line.
Read on to find out ways your practice could be at risk and how to protect yourself and your patients.
Do you know what to look for in a managed IT service provider?
Download our checklist to learn if you’re making the best choice for your practice.
A data breach is an incident in which confidential information is accessed without authorization. Your patient records contain sensitive information that is attractive to criminals, which is why cyber thieves target electronic data collected by the healthcare industry. Cybercrime in healthcare is particularly profitable. The average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158. For healthcare agencies the cost is an average of $355. Credit card information and personally identifiable information (PII) sell for $1-$2 on the black market, but protected health information (PHI) can sell for as much as $363. According to Symantec, electronic PHI was the most common form of data lost to data breaches in 2016, with personal consumer financial information close behind.
PHI is valuable because criminals can use it to target victims with scams that take advantage of the victim’s medical conditions or victim settlements. It can be used to create fake insurance claims, or to illegally gain access to prescriptions for use or resale. Hackers seek personal information to either steal money, compromise identity to steal money, or sell to other criminals on the dark web.
Because a ransomware-type cyber attack could compromise patient safety and care, health care organizations are more likely to pay the ransom. Newer ransomware is capable of deleting your backup before destroying your data. Smaller practices may be at highest risk: after installing new technology to handle electronic health records (EHR), many smaller practices may lack the finances to stay ahead of hackers in terms of security.
Studies indicate that around 83% of physicians have been victims of cyber criminals. In May 2017 a global ransomware outbreak called WannaCry infiltrated several major organizations Britain’s National Health Services. Your entire network is at risk, including peripheral devices, phones, tablets, etc.
It is incredibly important that all of your practice protocols and systems, including your health information technology (HIT), maintain HIPAA compliance. Your health information technology should have all the proper safeguards in place to ensure the security of your patients’ data. A HIPAA-compliant network will be password-protected and have antivirus and anti-malware software installed and used consistently. As with printed PHI, staff should be properly trained in HIPAA-compliant practices for handling information technology. Also remember that every staff member does not require an equal level of access to patients’ PHI.
Some ways hackers gain access to a network are by:
A large portion (48%) of data breaches are not caused by cyber criminals. They are caused by system glitches and human error.
According to a 2017 study sponsored by IBM Security and conducted by Ponemon Institute, data breaches cost U.S companies an average of $225 per compromised record. That number increases to $380 per record in the healthcare industry.The breakdown of recovery costs is as follows:
If your practice suffered a data breach, you would also have to notify the U.S. Department of Health & Human Services. Perhaps the most devastating cost to your practice would be lost revenue as a result of damage to your brand. When patients do not trust you, they find care elsewhere.
Consult your IT partner to best advise you how best to avoid a data breach and protect your patients. To fully protect patient data, practices should consider measures such as employee training and server and workstation monitoring. Employee training on security policies and procedures has been shown to decrease data breach costs by more than $9 per compromised record. The Health Insurance Portability and Accountability Act (HIPAA) outlines specific recommendations for handling of patient ePHI such as offsite data backup, firewall security, virus protection, and data encryption. Practices can add an additional layer of protection by running security risk assessments once or (ideally) twice a year. The Quest Diagnostic breach occurred with a business associate. Be extremely careful in choosing vendors who will come in contact with your patients’ sensitive information. You should also make sure they sign a Business Associate Agreement.
Here are some ways you and your staff can prevent a data security breach:
Any business is susceptible to a cyberattack, but healthcare organizations are particularly vulnerable. While patient care should be your primary focus, don’t neglect your network security. Protecting patient information will help you care for them in the best possible way. If you need guidance, your trusted IT partner can help you.