Preparing for the Inevitable: Protecting Hospitals and Physician Groups from Cybercrime

Preparing for the Inevitable: Protecting Hospitals and Physician Groups from Cybercrime

If you’re in the healthcare industry, you understand why your records are valuable. PHI records cost up to $1,000 each on the dark web versus $5 for credit cards and $1 for social security numbers – you can see the markup.

Some authorities believe that ransomware cost the world $20 billion in 2021. This figure is expected to increase to $265 billion by 2031.

With October being the month of cybersecurityNow is a good time to self-assess your cybersecurity response plan and other measures that show strengths and weaknesses. The sensitive nature of the collected data, coupled with the low tolerance for system downtime, has made the healthcare industry a prime target for cybercrime. It is more than likely that a health care provider will get hacked. The question is: how will this play out?

In the worst case, you suffer a breach and a successful ransomware attack.

If it is not ransomware, but simply a breach or successful access to your data, you must access and respond to the breach and comply with all HIPAA requirements, including your auditing and reporting requirements.

In either of the above cases, once you have passed through the initial minefield, you must determine your duty to notify the Civil Rights Office, and then you may face fines, other sanctions or the OCR version of the OIG Corporate Integrity Agreement.

why is it important

  • Your systems, operations, patients and reputation will be impacted.
  • You could have legal and regulatory exposure and legal liability.

What is the bare minimum you need to protect against wrongdoing?

  • Multi-factor authentication – you want to ensure that the person who is on your system at a remote location has authentication to be there.
  • Software Updates – you can access your server provider settings to ensure that your security suites will be automatically updated on your system when readily available.
  • Phishing – 80-90% of all ransomware attacks begin with some type of phishing incident. They will need permission and using phishing emails is still the easiest way to do this. There’s no better time than to send out a phishing exercise to see how many people have reached the link and it will help establish a good baseline.
  • Review access and policies – See who has access to your IT systems and what documents they have.
  • IT/Cybersecurity Team Members – We now know that you need to involve your IT and cybersecurity staff in decision-making metrics. Gone are the days of IT people only looking at your service and monitors – you need it to monitor your cybersecurity too. Having experienced cyber counsel on your team, if a breach occurs, your response and remediation should begin instantly.
  • Test backups – test your systems now. If you have a backup, try uploading all of your data to one system to see if you’re really ready.

Must do

According to the security company Sophos, in 2021, 37% of all businesses and organizations were affected by ransomware. Recovering from a ransomware attack costs businesses an average of $1.85 million.

Since 2018 the bad guys are going triple threat – they use ransomware, they encrypt your data and now they release your data publicly or don’t even give it back to you – they put it on the dark web for others to have. Some must-do steps for all hospitals and physician groups to minimize risk and protect your data include:

  • Tag your team – have your team tag – if you have a data breach and are trying to get your team together at that point, it’s too late.
  • Data inventory – you should consider what kind of information you have, where it is and who has access to it.
  • Risk assessment – look at your crown jewels, what are the things you need to protect? And you have to be honest and say, how can anyone get into this system?
  • Privacy Policy – this is an industry standard that did not exist many years ago. These policies are paramount and are now an industry standard whether you collect information from a website or mobile application. What rights do they have? Tell people what you do with this information. Likewise, when formulating your policies, you must consider the HIPAA Security Rule and the HIPAA Privacy Rule.
  • WISP – Written Information Security Policy – this is a comprehensive policy that contains all your documents regarding your data, privacy, cyber security and other rules and regulations including employee information and policy of security. You need to let your employees know what their responsibilities are – imposing the obligation on the company and the employees is important. You can apply sanctions against an employee who caused the damage.
  • CIRP – Critical Incident Response Plan – This will be your reference guide that lists your team members and your insurance policy with your contact details. He is going to have a forensic salesman provided by your insurance company.
  • Laws and regulations – laws change every day Following California’s lead, Virginia, Ohio, and Alabama have made or are considering significant changes to their privacy laws. You should be aware of your state laws which will not be superseded by HIPAA regulations as well as federal laws.
  • Encryption – If you encrypt your information, you are basically exempt from many reporting requirements. If you have been the victim of a breach of all your information – if that information is encrypted or anonymized, which means no one can use that information without the key to make that information usable, you are protected.
  • Data Retention – This is another safeguard that should be developed by states. The healthcare industry has the HIPAA retention problem and the employee side as well. For example, you must follow HIPAA retention laws with respect to your patient data, but your employee and other non-HIPAA personal information may have other retention periods to consider. Whenever the law does not require you to retain information, you must dispose of it. If you don’t have the data, no one can get it.
  • Contracts with third-party vendors – You need to know where all your data is located and ensure that your third-party vendors meet the same security standards as your industry.
  • Insurance Compliance – As losses have risen and exceeded premiums, insurance companies are getting tougher and tougher on companies that fail to meet the obligations and conditions they agree to in the insurance policy insurance. Familiarize yourself with your insurance policy and follow it to the letter.

The healthcare industry has basic requirements to protect patient data under HIPAA. To keep the focus on patient care, it is important to assess where gaps in protection may arise. The same issues arise for small and large health care providers, but the response plans will be different.

Three things can be done immediately: encrypt information, review policies and procedures, and perform cyber reviews.

Policies regarding mapping and imaging machines are important considerations. Suppliers should consider their policies on backing up paper records in case electronic records are compromised. A recent study based on breaches involving medical imaging highlighted that most breaches could be prevented by implementing basic physical and information security practices. Having the right policies and procedures in place and understanding your risk can reduce your risk of exposure to a breach and help you respond quickly if a breach occurs.

#Preparing #Inevitable #Protecting #Hospitals #Physician #Groups #Cybercrime

Leave a Comment

Your email address will not be published. Required fields are marked *