With persistent cyber attacks on the rise, the health-care industry is grappling with how to protect personal health information. We’ve seen a noticeable shift from a compliance-based approach to one focused on risk management. Healthcare companies are realizing that, in addition to meeting security and privacy regulations, they can do more to prevent breaches by assessing and prioritizing cybersecurity risks. And some health-care companies are starting to look for technology executives with risk experience.
Since 1996, the industry’s regulations under the Health Insurance Portability and Accountability Act (HIPAA) have required the security and privacy of individually identifiable patient health information. While HIPAA sets out clear expectations for protecting personal health information, it doesn’t address the rapidly evolving world of cybercriminals and their increasing sophistication in targeting health-care companies.
The message seems to have sunk in, especially in recent years, that mere HIPAA compliance is not enough, according to the recent Healthcare Information and Management Systems Society (HIMSS) report, which tracks responses to the annual HIMSS Cybersecurity Survey over the years between 2008 and 2015.
“Cybersecurity threats change every thirty days,” said Jim Routh, CIO, at Aetna Inc. Yet, the regulatory frameworks the industry uses have taken 17 years to create. “They’re not designed to be responsive to the changes in the threat landscape,” he said.
“Prior to 2013, the largest reported breaches in the healthcare industry were largely the result of lost or stolen devices, such as back-up tapes, servers or laptops,” according to the HIMSS report. “After this time, the largest reported healthcare breaches have been primarily due to cyber-attacks.”
This year alone, hackers have compromised more than 100 million patient records through advanced persistent attacks.
And a September global state of information security report from PricewaterhouseCoopers found that detected incidents reported by health-care providers and payers in a two month period in 2014 were 60% higher than for a similar period in 2013. Financial losses increased 282% over 2013.
“In the past stolen credit card data was a hotter commodity than patient health information. Credit card companies are now much better at spotting fraudulent activity. This has made the type of personal information stored by healthcare organizations become more desirable and therefore more valuable to a criminal,” said Heath Gieson, Vice President of Technical Services for SLPowers. “This personal information contains all the necessary data needed to create or steal identities. Ultimately this allows criminals to do more than just rack up a credit charges before the bank or account holder catches on.”
While regulatory compliance is certainly important, it isn’t enough to prevent breaches. A multi-layered approach to security management needs to be implemented. Also, techniques such as multi-factor authentication and data encryption are imperative. HIMSS survey authors concluded that traditional defensive weapons will “likely will not be successful in helping to defend from the cyber-attacks of tomorrow.”
Contact SLPowers today to talk about implementing a multi-layered security solution — in conjunction with impactful employee security training — to mitigate your risk.