Healthcare data is being hacked at alarming rates, and we might know why. According to a study by Trustwave, banking and credit data is worth $5.40 per record on the Dark Web, while healthcare records are worth over $250 each. This is because healthcare records typically contain virtually all the private and protected information that exists for that person, including banking and credit card data.
The rate that health systems are being targeted in phishing and social engineering scams continues to increase. Comparing data from Verizon's 2016 and 2019 data breach reports, there has been a threefold increase in both the number of data incidents and the number of actual data breaches arising from those incidents. Further, those numbers are still growing in 2020. (The 2020 version shows a shocking 71% increase in breaches of healthcare information. It also shows 43% of phishing attacks, and malware that steals passwords, originated from the cloud. This is a twofold increase since 2019.)
The 2020 Verizon report also found 70% of all computer hacks were completed by external actors, and 55% were completed by organized crime groups. Is your organization as prepared to protect data as hackers are in their intent to compromise it? The same report goes on to note that 86% of the identified breaches were financially motivated, with nearly 90% of all breaches being carried out by either brute-force attack against "breakable" passwords or with stolen credentials (most likely harvested by business email compromise activities, like phishing attacks).
This is why it is essential to have the highest security standards if your organization is entrusted to keep sensitive healthcare information. But it's also important to recognize that hackers are more sophisticated and savvier than ever. Bad actors are all over the Dark Web and are working tirelessly to break through protections for a big payday. With more people working from home, health data security is increasingly challenging but vitally important. Here are three things to keep in mind when protecting healthcare data.
Prepare to Be Hacked
Sooner or later, your organization is going to be hacked. What's important is how quickly your organization's security team can detect and contain the hack. The healthcare industry has traditionally prioritized preventing data hacks over detecting and containing them, which puts companies in a position of weakness. Verizon's 2020 data breach report found that while detection and response to breach events have generally improved, over 25% of breaches went undiscovered for months.
Organizations should create a balance among prevention, detection, and containment, and proactively build firewalls of protection as well as implement detective controls and response mechanisms. The key is knowing that a breach has occurred in real time, and then having predefined plans for responding to, containing, and recovering from the incident. By failing to identify a data breach quickly, a company could increase costs by 30% to deal with the breach, leaving the individuals who had data exposed vulnerable. Preparations are straightforward and can be based on well-established security protocols and safeguards. For example, organizations that leverage cloud-provisioned applications (for example, Office365, Google Apps, Box, AWS, Salesforce, etc.), will find the deployment of multifactor authentication tools as a prudent and effective protection mechanism.
Protections Must Go Beyond HIPAA
While complying with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Trust (HITRUST) Alliance are good starting points, organizations should go beyond these regulations as they establish only the minimum requirements for compliance with the federal rules. Consumers have concerns about the protection of their individually identifiable healthcare information and expect organizations that hold their data to do more than just what is required by law to protect that information.
The ultimate security certification is called SOC 2 Type II — and it's what organizations should strive for. It is the most comprehensive certification within the Systems and Organization Controls (SOC) protocol. A company that has achieved SOC 2 Type II has proved its system is designed to keep sensitive data secure.
Practice Good Cyber Hygiene
Sometimes, lack of employee diligence is the reason systems get hacked. For example, many people's out-of-office messages give too many details, such as "for help with this, contact this person," which allows hackers to see a chain of command and contact information for other people at the company. Unfortunately, there are always bad actors looking to profit from situations and instances like these by leveraging the abnormality of operations to encourage unsuspecting employees to take actions they otherwise would not. Make employees aware of phishing attempts, such as emails with "breaking news" related to COVID-19, or the usual scam fodder with emails about the election cycle or the extension of tax season. Altogether, this makes it a very dangerous time for healthcare information and the organizations entrusted with it.
Remind employees to continue to practice good cyber hygiene and socially engineering standards. Don't open an unexpected email and attachments. Don't open email from an unknown or untrusted source. Don't fall victim for those sensational email headlines and text messages.
Once compromised, the confidentiality of hacked data cannot be restored. With more people working remotely than ever during the pandemic, we do not yet know what the new normal will look like or when we will get there. But our workplaces and work habits have been changed permanently because of it. It is likely prudent to assume we have entered the realm of the perimeter-free workplace, and that remote work combined with less populated and less-dense office locations will be part of that future new normal. Now is the time to evaluate and assess what that might look like for each of our organizations and do what we can to protect healthcare data.