The recent data breach at Community Health Systems (CHS) of Franklin, Tennessee, clearly demonstrates the global nature of information security risks and the growing threat of hackers within healthcare. With millions of patient records compromised, is your organization taking this as a warning and ready to shape up it’s information security?
CHS was recently exposed to hackers that likely originated from China. The hackers breached 4.5 million patient records that were accumulated over five years during April and June. The hackers were able to bypass CHS’ security controls and obtained individuals’ names, Social Security Numbers, addresses, birthdates and phone numbers.
Hacking continues to be a relatively low-prevalence threat to the healthcare industry, only resulting in approximately 6% of breaches. However, just one successful hack could expose millions of records, and as healthcare data becomes increasingly more valuable, it will continue to become the target for sophisticated, career hackers. In fact, the recent FBI alert highlights just how real this threat is to the healthcare industry.
Yet, healthcare organizations are reacting slowly to the constant threats to protected health information (PHI). The industry still has a long way to go when addressing current security threats and concerns. And although some of these breaches are occurring at an IT level, it is not just an IT problem.
Of course it’s crucial that organizations have sound network security that includes installing and updating security patches, installing advanced malware analytic tools, proper network configuration, internal and external technical testing of your environment, and properly acting on network security alerts. However, just as in other industries (retail, financial, energy), the protection of sensitive data must be a C-Suite initiative.
The C-Suite must create a culture of compliance that resonates throughout the entire organization by actively engaging in information security risk management plans. Healthcare organizations must begin to move beyond data security as a regulatory burden on the organization and move towards data security as good business practice. Organizations cannot prevent all data breaches from occurring, but until the C-Suite sees data security as a viable concern, healthcare data breaches will continue to rise.
What is your organization’s “Culture of Compliance?” Has your organization conducted its mandatory Risk Analysis under HIPAA?