Today, hackers and criminals who wish to steal precious data are increasingly choosing to attack the healthcare industry. These databases are more valuable than many people realize, and not all companies have adequate protection in place. In fact, 68 percent of them fail their risk assessments. This statistic could be reduced dramatically if industries recognized the importance of strengthening their information risk management and cybersecurity programs.
Healthcare: The New Cybersecurity Battleground
Healthcare is now considered a top target for data breaches, and incidents are occurring more and more frequently. In fact, in 2014, there were 322 breaches in the healthcare and medical sector alone. Those breaches accounted for 6.6 million compromised records and billions of dollars in loss.
In reality, healthcare is becoming the next cybersecurity battleground. Security officers in the government and healthcare fields have been making a concerted effort to convince institutions that cybersecurity risks are getting out of control. Tom Kellerman, chief security officer at Trend Micro, Inc., told Bloomberg:
“The health-care industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable.”
Many events in the past two years have showcased how extensive this problem has become.
Most recently, in September 2015, 10.5 million records were compromised from Blue Cross affiliates, just one of a series of major digital intrusions into the medical insurance sector over the last two years.
It’s become evident that all industries, especially healthcare, are under attack for data breaches, resulting in harm or loss to both companies and individuals. Security risks are clearly getting out of control. As a result, the Department of Justice has taken an aggressive position.
They’re planning to more actively pursue the perpetrators and more seriously consider fraud allegations.
10 Actions to Take Now
OCR recommends health care organizations take the following 10 steps to strengthen their cyber risk management program:
- Set in place privacy and security risk management and governance programs. (45 CFR § 164.308(a)(1))
- Develop and implement comprehensive HIPAA policies and procedures. (45 CFR §164.530 , 45 CFR §164.316 and 45 CFR §164.414)
- Train all members of your workforce on detailed security policies and compliance measures. (45 CFR §164.530(b), 45 CFR §164.308(a)(5)) and 45 CFR §164.414)
- Complete a HIPAA security risk analysis and risk management program. (45 CFR §164.308(a)(1)(ii)(A) and (B))
- Complete a HIPAA security nontechnical evaluation, which is also known as a compliance assessment. (45 CFR § 164.308(a)(8))
- Complete technical testing of your environment. (45 CFR § 164.308(a)(8))
- Complete privacy rule and breach notification rule compliance assessments. (45 CFR §164.500 and 45 CFR §164.400)
- Implement a strong, proactive business associate management program. (45 CFR §164.502(e) and 45 CFR §164.308(b))
- Assess your current insurance coverage (e.g., cyber liability, D&O, E&O, P&C).
- Document and act upon a remediation plan. (45 CFR §164.530(c) and 45 CFR §164.306 (a))
Clearwater Compliance Can Help
Implementing each of these actions for the betterment of your security sector isn’t simple, but our team of experts has helped 100s of organizations to strengthen their cybersecurity programs and meet their HIPAA compliance requirements through software, education and services.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.