3 Ways to Mitigate Risk of Healthcare Data Breaches
The healthcare industry has seen a major spike in data breaches and security threats in recent years. According to Trend Micro’s data breach analysis, since 2010, 27 percent of all disclosed data breaches were in healthcare, followed by education (17%) and government (16%). There are two possible explanations for this. First, insider threats have always been present and never properly reported. Second, insiders have discovered the monetary value of stealing and selling sensitive data, therefore, committing more crimes.
Unfortunately, any business or organization that processes and/or stores sensitive data is vulnerable to a data breach (e.g., healthcare, education, government, retail and financial industries). So it’s the organization’s responsibility to employ proper safeguards to protect the sensitive information stored in their systems. Here are some ways your healthcare organization can strengthen its defense system to avoid costly and damaging data breaches.
Conduct Risk Assessments
The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities, business associates and their subcontractors “[implement] policies and procedures to prevent, detect, contain and correct security violations.” In order to satisfy these requirements, all entities subject to HIPAA’s Security Rule are required to conduct risk assessments. A risk assessment is a “thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” held by the organization. According to a Foster Swift article, “conducting a thorough risk assessment is a very important first step, especially for entities that have not already done so or for entities that have not been routinely updating their assessments.”
Healthcare data encryption is an increasingly popular option when it comes to safeguarding sensitive data such as personally identifiable information (PII). Encryption is when organizations convert data into encoded text, which makes the information unreadable without a key or code to decrypt it. According to Trend Micro’s analysis, the three most popular record types and record-type combinations compromised in the healthcare industry were health and PII (40%), health data (19%), and PII (15%). Data encryption is a good option for covered entities or business associates that regularly handle electronic protected health information (ePHI), says Elizabeth Snell, Lead Editor at HealthITSecurity.com.
Provide Employee Training and Education
An important step to reducing a company’s risk of a data breach or cybersecurity attack is through ongoing training and tests. The Association of Corporate Counsel (ACC) Foundation found that fewer than half of in-house counsel (45%) said their organizations have mandatory training for employees on how to prevent cybersecurity breaches. However, employers should keep in mind that training employees on company security policy only during onboarding or through annual training is not enough, says Stu Sjouwerman, CEP of KnowBe4. “To be most effective, use anti-phishing tools to frequently test employees on a variety of types of subjects and times, then follow up with remedial training for anyone who fails.”
According to Amar Sarwal, Vice President and Chief Legal Strategist for ACC, HR can play a critical role in educating employees about cybersecurity and to designing policies that support legal, financial and information technology.
While cybersecurity is an important lesson for employers and their teams, Trend Micro’s analysis reveals that hacking or malware attacks accounted for less than 10 percent of all breaches. The leading cause of all breaches (60%) is due to loss or theft of portable devices, backup drives, files, laptops, office computers and other devices. “Companies need to know where their data is at all times—not just what device it is on, but where that device is located physically,” says PCWorld contributor Jonathan Keane. In addition to requiring laptops and other portable devices to be password protected, employers should consider employing remote wiping tools. “If a laptop is lost or stolen, the company should have an easy way to remotely wipe the sensitive data to ensure it never leaks.”
Large data breaches are typically followed by class-action lawsuits, damaging the organization’s reputation and losing the trust of their communities. However, massive-scale data breaches are not that common because they require careful planning, time and strategy. Hackers tend to target smaller businesses and organizations because they often have fewer resources and weaker defense systems.
What are your thoughts? Is your organization prepared for a data breach? What strategies or policies do you have in place to prevent cyber criminals from gaining accessing to sensitive information?