Newer state and federal laws now regulate data privacy and cybersecurity.
As a preview of what may lay ahead for those affected by these laws, let’s examine how HIPAA affects the healthcare industry now.
Essentially, you must control your data or pay hefty fines. You can’t let the wrong people access it, and you need to make sure the right people have access at the right time.
HIPAA fines make headlines as various companies settle with the government. Those fines stem from organizations falling victim to disruptive attacks, disgruntled workers, and general disorganization.
Those vulnerabilities can be found everywhere but, fortunately, there are proactive steps you can enact to reduce exposure, improve responsiveness, and mitigate damages.
Healthcare Industry Attacks & Mitigation
In October alone, Dickinson County Healthcare System, West End Medical Center, Beacon Health Solutions, Wilmington Surgical Associates, and Riverside Community Care all suffered ransomware attacks.
Some malicious actors even published stolen data, which instantly exposes the healthcare provider to HIPAA data-breach violations.
Unfortunately, it can get worse. If an organization pays the attacker, those fines could increase even more if that attacker has also been sanctioned by the U.S. Treasury Department.
To guard against attacks, you must plug potential holes in your security, which most commonly come from system vulnerabilities and user errors. To counter system vulnerabilities, you should use a risk-based priority to patch systems. That will provide the highest protection to your riskiest data.
To mitigate user errors, a privileged access management approach can be combined with minimal access to reduce the data accessible in any breach. Also, basic cybersecurity training should be provided to both employees and patients to reduce both user error and the number of opportunities for attackers.
Unfortunately, not all HIPAA violations stem from an outsider’s attack. Employees can make mistakes or even act maliciously to create problems.
The well-known Pfizer, and the lesser known cloud-based voice-over-IP (VoIP) telecom company, Broadvoice, misconfigured cloud-data depositories and exposed voice transcripts that contained patient information.
Also in October, Unity Health Toronto notified customers that a disgruntled employee stole patient data and was holding it ransom.
While completely different issues, both could be controlled by fundamental best practices: Secure & monitor access, train, and test. However, these all require actions before a breach to be effective, so you need to take action now.
To secure access, organizations can adopt the privileged access management approach mentioned above to limit the users and the devices to monitor for inappropriate access.
Then use monitoring tools or logs to track the use of data — especially downloads — in order to flag inappropriate behavior.
All tech evolves, so continuous training of employees will minimize issues and prevent misconfigurations. However, you cannot simply assume that the set-up has been performed correctly. Thus, it should be performed internal and with third-party testing to verify a secure setup.
Critical Data Availability
Dignity Health paid a record $160,000 fine for failing to deliver a patient’s medical records due to excessive delays in providing a patient with medical records.
Some delays stem from simple disorganization but, with ransomware targeting data backups, destroyed data now can become a possible source of HIPAA fines.
To ensure continuous accessibility of data organizations need to:
- Thoroughly identify all locations of critical data
(patient data for HIPAA compliance, credit card info for PCI compliance, etc.)
- Consolidate, secure and limit access to the data depositories (see above)
- Setup, test, and secure data backups
- Test backups for security, accuracy, and ease of restoration
If you skip any of these fundamentals, you’ll surely risk future fines.
Fresh Perspectives & Assurance
The fundamental steps to protect a healthcare organization apply to all organizations, in some way, due to the various compliance requirements and/or data regulations.
Every non-profit, for-profit, or governmental organization manages data that must be protected.
After you enact the basic cybersecurity fundamentals, testing must be performed consistently to verify proper implementation. A third-party red-team, such as Blue Bastion, provides a fresh perspective and expertise to verify security from many different angles.
Beyond basic testing, our experts can also guide you through readiness exercises. We can assist with tabletop sessions to test how a team might respond during an attack, and we can assist in running drills to verify how quickly backups can be restored to critical systems.
Blue Bastion and Ideal Integrations fills the gaps for our clients to assist with IT infrastructure design, implementation, monitoring, and testing.
Call us today at 412-349-6680, or fill out the form below, and we’ll help you safely secure your data, 24/7/365.