The digitization of medical care has become a double-edged sword. Healthcare providers like Kaiser Permanente have used medical records to improve the health of their members.
In 2015, the National Committee for Quality Assurance found that Kaiser Permanente ranked first in 21 different healthcare quality measures, more than any other health plan in the country. Kaiser’s quality of care is due in no small part to its sophisticated medical records system.
On the other hand, the 2015 hack of the largest health insurance company in the U.S. conveys the risks associated with the digitization of healthcare. The February 2015 Anthem hack affected up to 80 million people and may have been going on for as long as ten months.
Although Anthem says no medical information was compromised, that’s a small consolation for the millions of people whose Social Security numbers, medical ID numbers, names, dates of birth and other personal information was stolen. To top it off, the hack was just the start of the cyber crime – the security breach gave cyber criminals an opportunity to launch “phishing” attacks in its wake.
The medical industry has long lagged behind other industries in its use of technology and now finds itself playing catch up. The medical records and technology ecosystem is fragmented – there is no standard system for healthcare providers to use. Cyber criminals know this and are actively targeting healthcare organizations.
So, what can healthcare providers do to minimize their cyber risks? Here are four steps you can take to safeguard Protected Health Information (PHI).
1 – Conduct a Risk Assessment and Implement a Risk Management Program
This isn’t just a good idea, it’s a requirement under the Health Insurance Portability and Accountability Act (HIPAA.) Healthcare organizations should assess security vulnerabilities, whether with their internal IT team or by utilizing a third party solutions provider, and implement measures to remediate them.
2 – Physically Safeguard PHI
Patient medical data recorded on paper should be kept in a secure location which can only be accessed by authorized personnel. Access to this secure data should be limited to only those personnel who have a specific reason to access it. Those employees should be trained on how to properly handle patient medical records.
Electronic patient medical data should also be secured with strong passwords and limited to those who need to use it to properly perform their jobs. To protect unauthorized access to PHI, computers with this information should automatically log off after a short period of inactivity.
3 – Monitor the Dark Web to Identify Any Breaches Immediately
Cyber criminals operate a thriving black market for stolen information on the Dark Web. Healthcare organizations should implement threat intelligence solutions that include Dark Web monitoring. Remember, Anthem’s data may have been under attack for up to ten months.
The recent Verizon data breach was discovered when it was offered for sale on a Dark Web cyber forum. Because Verizon discovered the breach relatively quickly after it occurred, it was able to take steps to address its security vulnerability.
4 – Conduct Cybersecurity Training for your Employees
Most data breaches originate within the organization being breached. Whether it’s malicious actors or a result of negligence, 58% of data breaches originate inside the breached organization.
Make cybersecurity training part of your onboarding process for all new employees and require annual re-certifications to ensure that you’re keeping up with the latest cyber crime tactics.
Why is this important to your healthcare organization? Because it’s expensive! The average cost per breached data record is $363. Although Anthem has never disclosed the cost of its data breach, it’s not hard to imagine that it is in the tens of millions of dollars.