In early October, Henry Ford Health System announced that it had been hacked and that the records of 18,470 patients had been stolen. On July 25-26, Arkansas Oral Facial Surgery Center was infiltrated by a virus that blocked the practice from being able to access images, files, and notes related to 128,000 patients. In September, Augusta University Medical Center announced that fewer than 1 percent of its patients’ records were stolen during a breach; however, this attack was the second phishing effort to work against the healthcare provider in just 5 months. These are just three of the most notable healthcare data breaches that occurred in 2017.
By midway through the year, the Department of Health and Human Services’ Office for Civil Rights (OCR) had received 233 breach reports, which suggested there would be more than the 450 that were reported during 2016. Already through July, 3.1 million electronic health records had been affected, just according to what was officially submitted to the HHS.
All of these compromised records represent money lost by each organization. Worldwide, the total average expense of a successful hack is $3.62 million. The cost per record of a healthcare breach is an almost incredible $380.
Avoiding a HIPAA Breach
Given the above stories and statistics, combined with the high associated costs, every covered entity and business associate wants to do whatever they can to avoid a HIPAA data breach. Several strategies can help you in prevention:
Test yourself relentlessly and randomly.
If someone is going to compromise your system, they want to catch you off-guard. Your vulnerability and penetration testing should occur at random points. It is also often a good idea to use outside security specialists to confirm all mechanisms and protocols are in place. You want to know when any rogue applications appear and any devices need patching, but you also want to penetration test to reveal how strong your system really is (so you get to any weaknesses ahead of hackers). Vulnerability assessments can also be helpful so that you are minimizing your chance of a breach and its numerous financial ramifications.
Verify that your staff is knowledgeable on HIPAA.
In order to carry out business, a healthcare organization relies on various personnel to conduct the many different elements of its operations. These people are each possible points of exploit for social engineering, an increasingly prevalent method.
For instance, a person might call on the phone or contact you by email and claim to be a certain doctor or patient. Note that proper adherence to the HIPAA Privacy Rule provides the appropriate checks and balances to avoid any violations in these cases. What happens after an individual asks for the information in this manner will rely, in large part, on how well your staff is trained on HIPAA-compliant protocols related to patient information.
Properly manage business associate relationships.
Healthcare companies are often incredibly complex, and they typically will rely on a diverse array of outside businesses to perform the functions needed to treat patients and help them to heal. In order for all of the protected health information that you use and generate to remain secure, the business associates who perform any services for you must follow proper standards and protocols to keep it from unauthorized access. Although the business associate agreement is a dry legal document, it is essential in establishing responsibility so that all compliance concerns are clearly delineated.
Bolster end-user defenses.
There are end-user tools that allow you to cover gaps in the use of services and perform ongoing threat detection, based on recent developments in machine learning and AI. Antivirus protection is helpful by itself but also serves as a foundation for more comprehensive and robust end-point detection and response (EDR) platforms. Strong EDR technologies will continually and systematically improve the intelligence that is built into your security approach (through predictive analysis). In order to get ahead of end-user threats, it helps to look at security in the terms of personalization: thinking at the level of each user activity, device, location, etc.
Apply encryption at the local level.
Make sure that you are internally encrypting data within all the systems containing ePHI. As indicated by recent statistics, two in five healthcare providers are not properly encrypting all of the data for which they have responsibility. Since the threat landscape has become so elaborate and severe, it is necessary to review the needs for encryption. It is important to reassess requirements for encryption annually; analyses such as these are necessary under the HIPAA regulations. It is especially critical to continue to review and improve your system if a breach has ever occurred.
Review your email protections.
It is easy to simply think at the level of record storage and transfer, or simply to verify the security auditing and certification of infrastructure. Think directly at the level of the email inbox. Often healthcare email is a target for phishing and ransomware. Go beyond traditional email gateways to using ones that are specifically designed for high, HIPAA-compliant security. Beyond helping you set up a better defense for your patients or clients, these more sophisticated security mechanisms will better safeguard you against data loss.
Strengthen your network security.
By sub-networking, you can restrict access and prevent breaches within the local system. However, in order to stop electronic protected health information (ePHI) theft from the outside, you need an advanced network security stance (as provided through a SOC 1 and SOC 2 audited datacenter from a HIPAA hosting company).
When an outside entity is specifically targeting your organization, they will typically start out through tests as authorized users. When you have advanced network security implemented, your ecosystem is able to comprehend when attackers are preparing themselves to strike.
Adopt a more powerful logging and analytics design.
If you want to study and grasp the nature of all the data that is streaming through a healthcare setting, it helps to leverage data intelligence, log analytics, and security information and event management (SIEM). In 2018, it is possible for these systems to detect irregularities in patterns through assessment of the log – in turn pointing to areas of security weakness. One thing to remember is that it is critical to have solid forensics, and that will ultimately be determined by the accuracy and sophistication of your log analysis.
Consider voicemail, text messaging, videoconferencing, and faxing.
It is easy not to include certain aspects of your business under the scope of HIPAA, especially since core IT needs are such an immediate point of focus. Voicemail and text messages can be problematic when patients send you ePHI. Your telecommunications provider should sign a business associate agreement confirming their commitment to HIPAA compliance. You want a business associate agreement spelling out all parameters and expectations of your video conferencing provider as well. HIPAA-compliant cloud-based systems can be used for document transfer, offering better security over the traditional practice of faxing.
Your HIPAA compliance partner
Are you in need of a HIPAA compliant solution for your organization, to protect the data of your own patients or those of clients? At Atlantic.Net, our HIPAA Compliant Hosting is SOC 1 & SOC 2 certified and HIPAA audited, painstakingly designed to secure critical data and records. See our HIPAA server hosting plans.