According to a report released by IBM and Ponemon, the healthcare sector has the highest rates of security breaches and cyber attacks globally. The average cost of a data breach for healthcare organizations is around $10.1 million, while the global average for all industries sits around less than half of that amount, at about $4.35 million.
Healthcare organizations often do not prioritize cybersecurity, leading to poor security measures, lack of regulatory compliance, and no cyber resiliency plans. However, HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) cybersecurity violations can result in significant fines and penalties, which creates urgency for healthcare organizations to secure their networks, data storage, and third-party vendor security.
Why Do Cybercriminals Target Healthcare?
The healthcare sector has unique challenges that merit addressing its data breach prevention strategies specifically. Healthcare businesses contribute to critical infrastructure worldwide and combine:
- Large amounts of data — According to the World Economic Forum, hospitals may produce around 50 petabytes of data each year. The more data collected, the more valuable the information may be.
- Sensitive data — Clinical records are some of the most sensitive data. Healthcare centers store not only personally identifiable information (PII) but also details of illnesses and conditions, treatment results, and financial information.
- Slow transitions from legacy systems — With so many more medical records than ever and the ability to store them on hard drives and servers, hospitals are continuing to move away from paper-based or other legacy systems in favor of modern storage solutions, including cloud services. This transition can entail some confusion, miscommunications, and misconfigurations, potentially providing vulnerabilities that cybercriminals can exploit.
- Lack of third-party security — Third parties, such as cloud storage services and managed IT services, have access to sensitive data. They increase the attack surface of the institutions they serve.
Healthcare Regulations Help Prevent Data Breaches
One of the best ways to prevent a data breach is to maintain compliance with healthcare regulations. They are designed to protect the privacy of patient information and can be a motivating factor for organizations dealing with a data breach.
The US government considers healthcare a critical sector for the US economy and infrastructure. Naturally, it is highly regulated. Any healthcare business involved in a data breach can expect scrutiny from relevant law enforcement agencies and the press.
A healthcare company can incur significant fines if a regulatory body decides that its information security systems and data privacy policies and procedures were inadequate during a data breach. These fines can add up, as they may be worked out per incident per day. Moreover, the average data breach may go unnoticed for more than 200 days.
- The Health Insurance Portability and Accountability Act 1996 (HIPAA) is a federal law that requires healthcare organizations to take appropriate security measures to maintain the security of protected health information (PHI), such as test results, medical histories, and health insurance information.
- Health Information Technology for Economic and Clinical Health Act 2009 (HITECH) - One of the goals of this legislation is to ensure privacy and security. It incentivized the adoption of health information technology, helped to expand Health Information Exchanges, and strengthened HIPAA’s privacy and security provisions.
- NOTE: HITECH extended HIPAA’s security rule to “Business Associates of Covered Entities” and increased penalties to fund enforcement action by the Department of Health & Human Services (HHS) and the Office for Civil Rights.
11 Ways to Prevent a Data Breach in Healthcare
The main reason why healthcare providers and organizations are consistently targeted by cybercriminals is that protected health information (PHI), which includes patient data, medical records, and insurance information, is extremely valuable data that criminals can sell on the black market or dark web. Stolen or exposed patient information is often ransomed to the organization, which has no choice but to pay the ransom to continue operations or risk losing sensitive patient data altogether.
In addition, HIPAA compliance standards require healthcare service providers to have cybersecurity protocols in place to continue operations or risk incurring severe penalties, especially if a lack of security leads to compromised patient privacy.
For a more technical guide on how to prevent data breaches, read this post.
1. Assess Security Risks in IT Infrastructure
Cyber risk assessments and security evaluations should be performed annually to address new vulnerabilities, security gaps, and outdated policies that could put the organization at risk. Cybersecurity audits can be conducted internally or by a third party for a more comprehensive overview of the entire IT infrastructure. Security risks in the IT infrastructure are not limited to network or email security — it also applies to physical device security that employees may use to access the organization’s main network.
One important part of the security assessment should be identifying the most important assets and data that need to be secured. Healthcare organizations need to implement stronger security protections for patient records and the personal data of their employees.
Additionally, healthcare institutions should prepare annual risk assessments and testing to determine if their security is adequate to defend against current cyber threats. Penetration testing, simulations, and vulnerability assessments can measure whether businesses’ security systems can deter potential cyber attacks.
2. Maintain HIPAA Compliance
HIPAA is a set of healthcare regulations and frameworks determining a health organization’s ability to protect patient data and health records. Organizations can use HIPAA regulations as a roadmap to improving data privacy.
It’s also in the institution’s best interest to follow HIPAA compliance standards to avoid incurring penalties and fines for the lack of data security practices. HIPAA applies to any entity that handles sensitive patient data, including:
- Health care providers
- Health care clearinghouses
- Business associates
3. Implement Network Segmentation
Network segmentation is a highly effective data security practice that uses divided subnetworks to limit data access across an organization’s entire network of servers, particularly in larger organizations or hospitals. Network segmentation is a proactive, preventative practice that segments data across multiple individual networks to better organize the network infrastructure and prevent free-roam access by unauthorized users.
The idea behind network segmentation is that if a hacker gains access to one subnetwork, it is extremely difficult to jump to another subnetwork within the organization. Each subnetwork has its own security rules, access privileges, and pockets of sensitive information that prevent easy access without authorization. If an organization only uses a flat network structure, they are at risk of exposing all of its data through a single exploited vulnerability.
Segmenting networks is a highly complicated and intricate process that requires significant investment and time to implement properly. However, if implemented correctly, network segmentation in larger healthcare organizations can significantly increase their security posture and prevent a full data breach if a cyber attack occurs.
4. Enforce Cybersecurity Training & Education
One of the biggest causes of healthcare data breaches is that workers and employees aren’t educated about cyber risks and do not have the necessary training to recognize threats. Any organization, from small providers to large hospitals, needs to provide adequate cybersecurity education so that the staff can be the first line of defense against attacks.
Healthcare organizations should provide cybersecurity training to new staff and continue reinforcing best data protection practices to relevant employees with access to sensitive data. The training should be updated as the newest cyber threats or vulnerabilities emerge. Cyber education and training should include data security practices like:
- How to create secure passwords
- Safe internet browsing practices
- Recognizing potential phishing attacks
- Not connecting to unsecured Wi-Fi networks with work or personal devices
- Setting up two-factor or multi-factor authentication
- Never providing social security numbers (SSN) or credit card information over unsecured channels
- Securing physical devices
The best safeguard against cyber attacks is to enforce better data security and limit human error as much as possible.
5. Upgrade Outdated Software & Hardware
Many hospitals or other healthcare organizations may still be working with legacy systems and technology, which puts important healthcare information and electronic health records (EHR) at serious risk. Hackers target organizations still operating with outdated software, applications, and hardware because they have minimal protection and unpatched security software that cannot defend against modern-day cyber attacks.
Another reason to upgrade outdated technology is that many medical devices are connected to the main network, even though they aren’t directly internet-accessible. These are known as IoT (internet of things) devices and are common for criminals to hack into and access the network if they aren’t secured while connected to wireless networks.
Once this attack vector is breached, criminals can deploy malware, ransomware, or DDoS attacks that can cripple an entire healthcare system. Large hospitals often use thousands of medical devices that may be unsecured, creating endless entry points for hackers to exploit.
6. Set Data Retention Schedules
Storing unnecessary data increases the potential damage that a data breach can cause. In addition to limiting employees’ access to patient information, the healthcare institution can limit how long it stores sensitive data.
The healthcare establishment would be wise to have a written policy regarding how long it keeps electronic health records (EHR). By removing historical files, fewer data can be lost or stolen. Retention schedules help ensure that ePHI is removed when it is no longer needed.
Destroying digital data needs to be done securely, as simply discarding hard drives or deleting files does not ensure proper data disposal. Certified digital destruction companies are a solution for health organizations to safely destroy old data. Digital documents can be shredded electronically to prevent recovery, and that needs to be performed in a monitored, controlled, systematic way by people with appropriate access credentials.
7. Use Real-Time Monitoring
By logging and tracking network and user activity, healthcare companies can monitor for unauthorized PHI access, track suspicious network activity, and identify security risks before they can be exploited. It can also keep track of who has access to what information and when in a system with tiered access. Analysis of monitoring information can help identify threats and end them before they worsen.
If a data breach occurs, the logs from real-time monitoring systems can be instrumental in identifying and containing damage during the early stages of a data breach response plan. Real-time alerts can help healthcare businesses respond more quickly to threats and prevent data breaches.
8. Use Role-Based Access Control (RBAC)
Role-based access control (RBAC) is a form of role-based security that assigns specific permissions to every user in the company. By managing permissions, organizations have stricter control over data access privileges based on the user’s role in the company. RBAC is particularly needed in large organizations, such as hospitals, with thousands of employees and hundreds of roles.
RBAC implementation is one of the best ways to prevent data breaches because it limits the amount of data that hackers can steal if they somehow gain access to an employee account. For example, if a lower-level employee gets hacked, the threat actor is unable to access high-value data through limited employee access, effectively preventing a full data breach.
RBAC employs the principle of least privilege and the zero-trust model that automatically restricts employees from accessing data outside of their role needs by assuming every level of data has the potential for unauthorized access.
9. Manage Third-Party Vendor Risks
Because certain third-party vendors handle, store, or transmit critical and sensitive data, it increases the attack surface of its partners. Third parties include contractors, other clinics, business associates, cloud service providers, and more.
It’s essential to perform third-party due diligence and ensure that third-party providers uphold strong data security and privacy practices. Business associate agreements (BAA) based on HIPAA compliance are part of how healthcare organizations can set data security requirements and expectations for third parties.
Additionally, healthcare institutions working with third-party providers must ensure they read and review all service-level agreements. Don’t allow any boxes to be checked or unchecked automatically. If a third-party vendor needs access to medical records and other patient data, it needs to be HIPAA-compliant. Anything less puts the healthcare business and its patients at risk.
Violations of HIPAA can result in significant fines and penalties for both the vendor and the healthcare organization. Organizations should consider appointing a designated individual to take charge of third-party compliance and procurement processes.
10. Create Cyber Resiliency Plans
Cyber resiliency plans are crucial for any organization to create and implement. Cyber resiliency includes disaster recovery, business continuity, and incident response plans that allow the organization to withstand a cyber attack and plan for a potential data breach. Although these plans won’t prevent data breaches, they are essential for detailing mitigation and remediation protocols.
For example, incident response plans will identify the roles and responsibilities of the IT team in the event of an active cyber attack and detail the specific reporting processes, mitigation actions, and attack vector identification and remediation to limit the scope of the attack quickly.
11. Hire an IT Team
Healthcare establishments can be large organizations with vast numbers of records and departments. They may encompass not only multiple departments and department heads but also multiple hospitals, care homes, and other centers across wide geographic locations. A dedicated IT team can significantly help prevent a data breach and make things go much more quickly, smoothly, and affordably if an attack, human error, or natural disaster compromises data.
Staying on top of the information security requirements for a healthcare organization can be a significant challenge. Appointing positions, such as a CISO, to lead the company’s IT security efforts is an effective way to keep the business on track and to implement a data breach response plan effectively when necessary.
Regardless of size, healthcare organizations must necessarily deal with the challenge of protecting patient data. A dedicated IT team can monitor threats, maintain firewalls and threat detection software, keep systems up to date, monitor and modify permissions, and monitor third-party vendors and other partners.