How ASC’s Can Improve Cyber Security Strategies and Prevent Data Breaches
Data breaches are on the rise and continue to make headlines in the healthcare industry with more patient records being compromised. Be it ransomware, phishing, or even a stolen laptop - small surgery centers to big hospital networks are being constantly attacked by hackers. The question that remains now is what you can do to prevent data breaches from happening at your own facility? The short answer is that effective cyber security strategy rests on people and not just technology.
Last year has seen about 365 data breaches of 500 or more healthcare records (totaling to over 13 million healthcare records exposed) according notifications received by the Department of Health and Human Services’ Office for Civil Rights. The number of data breaches was just about the same in 2017 but the big difference is that in 2018, more than twice as many healthcare records have been exposed.
HIPAA Journal has analyzed the 2018 data and revealed the following break down of the causes of data breaches:
- Hacking/IT incident - 158 cases (43.29%)
- Unauthorized access/disclosure - 143 cases (39.18%)
- Theft - 42 cases (11.5%)
- Loss - 13 cases (3.56)
- Improper Disposal of PHI or e-PHI - 9 cases (2.47%)
According to a 2018 Kaspersky Lab report in North America, 27 percent of healthcare employees said their organization experienced a ransomware attack within the past year and 33 percent of those who reported said their organization were hit more than once.
In the same report, only about half of healthcare IT workers are confident in their cybersecurity strategy for 2019. The report also revealed the high cost of data breaches which is not only in recovery burden (average of $1.23 million for enterprises) but also its impact in the company’s reputation, customer privacy, and even employees’ careers.
The Health Insurance Portability and Accountability Act (HIPAA) privacy laws were put in place to safeguard consumers’ protected health care information (PHI). It sets the standard for sensitive patient data protection and governs how you access, distribute and protect PHI. Failure to comply can result in huge consequences for an ASC.
How Can an ASC Improve its Cybersecurity Strategy?
It is important to note that a compliance-driven program (one meeting the requirements of HIPAA) and a security-driven program are two different strategies. Security is risk-based and compliance is meeting the requirements of the organization.
A strategy led by compliance will not always include protection against the variety of cyber threats that exist today. The Kaspersky Lab report suggests a multi-layered approach to security is necessary to fully protect an organization’s environment.
Here are 3 crucial steps suggested by Kaspersky Lab:
1. Segregate your networks. Anything critical should not be directly connected to the Internet. Maintain control over your network by restricting access to information for employees that do not need it.
2. Set-up a complete backup / recovery plan. If something were to happen, recovering from the attack should be possible. Make regular backups of important information and keep several copies in different places
3. Staff Awareness/Education and a Good Antivirus Product. Teach your staff or users what ransomware looks like, what it does, and how to handle an incident can mean the difference between one system going down or all of them.
Two Common Compliance & Cyber Security Problem Areas for ASC’s
The healthcare regulatory landscape is now evolving and there is an abundance of rules regulating aspects of an ASC's operations. Staying on top HIPAA regulations is important to ensure data privacy, patient safety, and protecting your revenue.
1. Business Associates (BA) or Third-party Vendors - Your business associates/third-party vendors also need to be HIPAA compliant including their subcontractors (business associates of business associates). Business associates are anyone with access to patient information and provide support in treatment, payment or operations. It is essential for ASCs to have business associate agreements with every vendor that has access to the electronic personal health information of its patients.
2. Human Error - According to Willis Watson consultancy, over 90 percent of cyber security incidents can be traced back to human error. Your staff are busy and all it takes is for them to open an attachment or click a link without double-checking the email address. That's it - you've been phished. This is why ASC’s need to have regular compliance meetings as well as regular HIPAA training sessions.
Other Quick Tips and Best Practices
Conduct Tests & Audits All the Time - Simulate a cybersecurity attack, like sending test phishing emails to your employees, to see what happens and how they react. Correct issues and do this exercise frequently and update yourself with the latest tactics that phishers use.
Don’t Respond to Phishing Emails: If you have even the slightest suspicion you may be the attempted victim of a phishing scam, do not respond to the email because they will now know they have a valid email address.
Don’t Pay the Ransom. It doesn’t guarantee you will get your data back and it encourages this criminal business model.
Encrypt Sensitive Data. What if someone sends an email containing sensitive data to the wrong email address? Avoid the transmission of sensitive data in unencrypted email in the first place so that a "wrong send" is not a catastrophe.
David Hamilton is the CEO of Mnet Health Services, a Business Process as a Service (BPAAS) and Financial Technology (FinTech) firm with a specialized focus on End-to-End Revenue Cycle Management, Care Coordination, and Quality Assurance in the healthcare industry.