Hackers and healthcare PHIThe recent data breach at Community Health Systems (CHS) of Franklin, Tennessee, clearly demonstrates the global nature of information security risks and the growing threat of hackers within healthcare. With millions of patient records compromised, is your organization taking this as a warning and ready to shape up it’s information security?

CHS was recently exposed to hackers that likely originated from China. The hackers breached 4.5 million patient records that were accumulated over five years during April and June. The hackers were able to bypass CHS’ security controls and obtained individuals’ names, Social Security Numbers, addresses, birthdates and phone numbers.

Hacking continues to be a relatively low-prevalence threat to the healthcare industry, only resulting in approximately 6% of breaches. However, just one successful hack could expose millions of records, and as healthcare data becomes increasingly more valuable, it will continue to become the target for sophisticated, career hackers. In fact, the recent FBI alert highlights just how real this threat is to the healthcare industry.

Yet, healthcare organizations are reacting slowly to the constant threats to protected health information (PHI). The industry still has a long way to go when addressing current security threats and concerns. And although some of these breaches are occurring at an IT level, it is not just an IT problem.

Of course it’s crucial that organizations have sound network security that includes installing and updating security patches, installing advanced malware analytic tools, proper network configuration, internal and external technical testing of your environment, and properly acting on network security alerts. However, just as in other industries (retail, financial, energy), the protection of sensitive data must be a C-Suite initiative.

The C-Suite must create a culture of compliance that resonates throughout the entire organization by actively engaging in information security risk management plans. Healthcare organizations must begin to move beyond data security as a regulatory burden on the organization and move towards data security as good business practice. Organizations cannot prevent all data breaches from occurring, but until the C-Suite sees data security as a viable concern, healthcare data breaches will continue to rise.

What is your organization’s “Culture of Compliance?” Has your organization conducted its mandatory Risk Analysis under HIPAA?

Join one of Clearwater Compliance’s NEW Information Risk Management BootCamps™ and learn to understand your requirements under HIPAA and how to best manage your information security risks.

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.