Cybersecurity is more than meets the eye. Proper security contains several layers, including adequate training and technology, to meet HIPAA compliance guidelines. Healthcare organizations are responsible for implementing robust cybersecurity strategies to prevent cyberattacks.
The healthcare industry claims to prioritize cybersecurity efforts, yet 18% of organizations allocate only 1-2% of their IT budgets to cybersecurity. Covered entities who choose not to prioritize proper cybersecurity leave themselves vulnerable to increasingly prevalent cyberattacks.
Healthcare-related cyberattacks can be attributed to several factors. A lack of employee training increases the likelihood of human error, and portal-based communication is only as secure as a patient’s email account. Neglecting two-factor authentication makes it easier for a hack to occur, and not having a business continuity plan affects an organization’s ability to recover. Here are four aspects that leave healthcare organizations vulnerable to attacks.
Employees are often unaware of their role in data breaches, making them one of an organization’s most prevalent security risks. In fact, human error accounted for 33% of healthcare breaches in 2020 alone. A lack of proper cybersecurity training places a target on healthcare organizations big and small.
HIPAA encourages covered entities to train employees how to recognize, report and respond to cyberattacks. A recent study by The Advanced Computing Systems Association found that with proper training employee threat detection rates increased nearly 20%. Yet, while the average healthcare professional receives 12 years of training before entering the field, 32% of employees claim they never received cybersecurity training from their healthcare system.
Healthcare providers must protect their network with ongoing cybersecurity and HIPAA compliance training, including lessons on recognizing cyber threats and keeping protected health information (PHI) secure. With proper training, employees are more likely to identify and respond to attacks, such as display name spoofing or phishing emails containing ransomware, before it’s too late.
HIPAA requires healthcare providers to safeguard electronic protected health information (ePHI). With this in mind, healthcare professionals often rely on patient portals to send and receive ePHI. Not only do portals make it more difficult for patients to access messages from their provider, but security depends on the users as well.
Patient portals work by keeping communication between provider and patient within a portal’s boundaries. The sender and receiver must log into the platform to read and respond to messages from their doctor. Keeping ePHI behind a portal’s walls can protect information from common cyberattacks, but hackers know about the various ways providers share ePHI with their patients. Suddenly, the target shifts from provider to patient. A patient’s ability to keep logins and passwords safe is key.
More than 60% of people admit to regularly reusing passwords across multiple sites, which enables hackers to infiltrate multiple accounts with one stolen password. According to the Verizon 2021 Data Breach Investigations Report, 61% of breaches result from compromised credentials.
One option for security professionals within healthcare is to advocate for communication with patients regarding password privacy and security measures.
Instead of placing the weight of keeping ePHI secure on patients, another option is for healthcare providers to leverage email encryption to send HIPAA compliant email. Email encryption can ensure the safety of ePHI in transit and at rest and eliminates the need for logins and passwords.
A security feature like two-factor authentication (2FA) can seem cumbersome and unnecessary, but skipping a second step to verify user identities leaves passwords, patient information and organizations vulnerable to cyberattacks.
According to a recent Google study, only 37% of Americans use 2FA. And last year, Microsoft attributed a lack of multi-factor authentication to more than 99.9% of compromised accounts. A lack of security increases the likelihood of network security breaches.
2FA is one of the most effective ways to reduce risk and safeguard PHI against cybercriminals, as it requires a user to confirm their identity twice. Security questions and PINs are common tactics. Having 2FA requirements makes it difficult for a cybercriminal to gain unauthorized access to an account and, in turn, an entire organization.
A healthcare organization’s goal is to minimize risk and avoid becoming a victim of a cyberattack, but not all security strategies are airtight, and providers must know how to react if hackers compromise patient data.
The average time to contain a healthcare-related data breach is 287 days, 75 of which an organization spends attempting to stop the attack and control the damage. Since January 2021, the average healthcare data breach has cost providers approximately $9.32 million per incident. This estimate does not include fees levied by the Office for Civil Rights for HIPAA violations. Time and money spent on resolving a breach can significantly impact a provider’s ability to serve a community and its patients.
With more than 2,200 cyber attacks happening each day, providers must establish a business continuity plan (BCP) before falling victim to a breach. A BCP is a process for covered entities to discover, avoid and mitigate system risks and often includes a disaster recovery plan if a breach forces a network out of service.
To establish a BCP, providers must:
Understanding how an organization will respond during an attack makes it easier to restore operations and networks and focus on a swift and efficient recovery process.
Twenty-four million Americans had their PHI stolen in 2020 as a result of 505 reported healthcare data breaches. Organizations that neglect to enhance their cybersecurity measures will only add to the number of data breaches now and later. By diligently training employees, enforcing 2FA, leveraging email encryption and preparing an attack strategy, organizations can better prepare to address the ever-present threat of cyberattacks and protect their ability to serve their patients.
Hoala Greevy is the Founder and CEO of Paubox. Greevy has 22 years of experience in the email industry, dating back to his first job out of college at Critical Path in San Francisco in 1999. Prior to founding Paubox, Greevy started Hawaii’s first Software as a Service (SaaS) company, Pau Spam, in 2002. Greevy holds two patents related to email security and graduated from Portland State University with a B.S. in Geography and Social Sciences.
You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.
Copyright ©2022. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing