Every industry needs to take data breaches seriously, but if you’re a healthcare provider, you have extra incentive.
Why is this so?
The frequent use of legacy tech, combined with placing patient welfare above everything else, makes healthcare providers more vulnerable.
Making matters worse, the consequences of HIPAA and other regulatory violations amplify the impact of data breaches.
In order to stop, or dramatically reduce data leaks, you need to protect your email, implement employee training, and secure your data.
These tactics are important, but keep in mind that attackers also target your healthcare supply chain. Because of this, you’ll need to ensure your healthcare partners also use these tactics effectively.
Let’s take a look at where you should start.
Healthcare Data Breaches Start with Phishing
Approximately 80% of security incidents stem from phishing.
At the end of July, UC San Diego Health disclosed that a phishing attack compromised employee email accounts,giving attackers access to the personal information of patients, employees and students.
And they’re not alone.
A 2019 survey found that 90% of healthcare providers received a security threat through emails, while experts estimate healthcare cyberattacks rose by 55% in 2020.
With the average cost of a data breach reaching a staggering $4.2 million, you need to boost your cybersecurity however you can.
Make sure you enable email defenses such as email filtering, and enable technical email server protocols. This protects your email by greatly reducing exposure to attacks.
The Case for Training
Healthcare workers keep demanding schedules, but you need to build training into your culture.
Email security software simply can’t stop every attack.
For example, hackers compromised Chipotle’s Mailgun email marketing account. From there, they sent phishing emails that bypassed the security protocols that check the validity of sender domains (i.e., mail.chipotle.com).
Also, keep in mind that not all breaches involve email.
A former employee of the Oklahoma Heart Hospital accidentally included handwritten notes about patients in a donation to charity.
Training your employees and coworkers on the importance of data security defends against attacks that cybersecurity software can’t catch.
Limiting Damage from Your Healthcare Partners’ Breaches
Even though ransomware and phishing accounts for the majority of direct healthcare data breaches, be aware of your broader exposure. Employees and business partners often leak data in unexpected ways.
The Cancer Center of Greenwood Lefore Hospital joined Yale New Haven Health, Lifespan, and other providers in warning their patients about a potential healthcare data breach stemming from their cloud-based data storage provider, Elekta.
Fortunately for Lefore, their damages should be limited – because they adopted a best practice for data storage – encryption.
As long as encryption keys are segregated and secured, encrypting data secures it and prevents use by attackers.
To limit damage of a data breach, healthcare providers must mandate and verify they encrypt data on their own systems, as well as the systems of their vendors and partners.
For example, when ransomware gangs struck the law firm of Cambell, Conroy and O’Neil, they seized a broad array of data, including protected health information.
Be sure to insist law firms, billing partners, and other vendors encrypt patient data, to guard across the entire healthcare ecosystem.
More Than Just HIPAA Data
Depending upon the type of breach, you could find yourself facing a variety of regulations that determine your required actions and possible penalties.
Even though HIPAA is the main guideline, credit card breaches trigger PCI DSS (a set of standards set by the credit industry), while leaks of student health information can trigger Family Educational Rights and Privacy Act violations.
Additionally, many states passed laws that fine or punish companies that leak personally identifying information of their residents. These only add to a healthcare provider’s headaches in the event of a data breach.
As the consequences of an attack grow more painful, prevention becomes more important.
In addition to training and technical controls (email filtering, encryption, etc.), you need to identify the various types of data you need to protect.
Make sure you search your legacy systems and locate where regulated data is stored, so it can be organized and protected.
Making Security Possible
It’s not easy guarding against cyberattacks.
However, between the growing financial costs and legal problems resulting from an attack, it’s more important than ever before.
Implement strong email security, educate your team, and make sure to encrypt all of your important data. Be careful who you partner with, and keep an eye on older tech systems.
Many organizations have long lists of projects their IT teams haven’t yet implemented, so taking time to install these measures can seem overwhelming.
However, with the rising costs of data breaches, it becomes more reasonable to hire outsourced experts to enable preventative measures.
It all starts here, with a risk-free consultation.
Complete the form below to connect with our team of networking and cybersecurity experts or call us at 412-349-6680 to discuss how our team can help your healthcare organization locate and protect its regulated data.