Cyberattacks—an attempt by hackers to damage, destroy, or hold hostage a computer network, system, or data—have come to health and human service organizations. Health care organizations spend an average of $1.4 million on cyber attacks (see the report from Radware, The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum), and one of the the highest ransomware demand of 2018 was $8.5 million (see Beazley Breach Briefing – 2019).
The field has become a prime target for hackers. Health care now has twice the number of cyberattacks per day compared to other industries (32,000 attacks on average vs. 14,300) (see Healthcare Experiences Twice The Number Of Cyber Attacks As Other Industries). A 2018 Ponemon report found that hospitals have to pay $408 per record to retrieve their data (see 2018 Cost Of A Data Breach Study By Ponemon). A few examples of heath care ransomware cyberattacks?
- Hollywood Presbyterian Medical Center (HPMC) paid $17,000 after a ransomware attack, which encrypted its electronic health record (EHR)—see Hollywood Presbyterian Pays $17,000 After Ransomware Attack.
- Hancock Regional Hospital paid $55,000 in bitcoin after a ransomware attack locked its data—see Hospital CEO Forced To Pay Hackers In Bitcoin Now Teaches Others How To Prepare For The Worst.
- East Ohio Regional Hospital and Ohio Valley Medical Center’s was forced to divert emergency department patients to other facilities after ransomware froze the intake system; administrators refused to pay an undisclosed ransom amount—see Two U.S. Hospitals Dealing With Ransomware Attack.
The key for executive teams of health and human service organizations is to be prepared. You can’t necessarily prevent a cyberattack, but you can mitigate its effect with a few fundamental preventive measures. What are those preventive measures? Understand state-specific plans for protected health information (PHI), conduct data risk assessments, build a data security strategy, and develop a data breach response plan.
Understand state-specific plans for protected health information (PHI)—Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates. Protecting this information is especially important and complicated because the federal government has rules, and each state have its own set of rules (including privacy regulations) that control access and security for PHI. It’s mandatory to know what data in your possession and what rules are governing how you handle that data.
Conduct a data risk assessment—This assessment helps you identify at-risk, sensitive, or classified data, and the level of risk that it may be attacked, hacked, or breached. If you can’t provide a succinct answer to the question, “How vulnerable are you to data breaches” then chances are you are extremely susceptible. Running a risk assessment means assessing all your technology (hardware and software), your organizational processes for managing data, and reviewing the staff protocols and training for those who will use and have access to the data.
Build a data security strategy—A data security strategy is your plan (including procedures, policies and protocols) for how you will protect your data from being compromised, breached, hacked, or held for ransom in any way. Provider organizations need both a strategy and an action plan to leverage the security potential of data encryption, standardized processes for authentication of user identification, defined policies about appropriate data access, and regularly scheduled audits of the databases. Once you have the tools, getting the processes in place will also mean training staff to use and protect your secure system.
Develop a data breach response plan— A response plan is the organized approach organizations take to address and manage the aftermath of a security breach or cyberattack. It’s best to have a plan, including how to stop the hacking and report the incident. Having a slow response to either of those things will only compound the problem (and possible the financial repercussions with the feds). Your data breach response plan needs a leader, a team with clearly defined goals during the hack, and an incident response plan to guide the team through response protocols.
OPEN MINDS Senior Associate Joe Naughton-Travers noted that the best strategy is to “hope for the best, but plan for the worst”:
While the goal is to prevent a cyberattack, it is still essential that each organization have a data disaster recovery plan in place. If your EHR data system were attacked and locked, do you have a backup of consumer records or some other plan that will enable you to continue consumer care? Have you executed a data loss fire drill to ensure that you are minimizing clinical and financial risk in the event of a cyberattack? While most agencies technically have disaster recovery plans as part of their accreditation requirements, rarely are they tested. Prevention is the goal, but preparedness for the possibility of a cyberattack is also essential.
Looking for a deep dive into data security? Check out these resources from the OPEN MINDS Circle Library:
- The Dark Side & Management Challenge Of The ‘Internet of Things’
- Your Data Security Deserves A Second Look
- More & Larger Health Care Databases Mean More Data Security Concerns
- Do You Have The Right Data Security ‘Attitude’?
- What Is Your HIPAA Security Score?
- Recipe For HIE Success: Consumer Trust Through Security
- Will Security & Interoperability Shape Our Health Care Future?
- Digital Security Isn’t Where It Needs To Be
- It’s The People, Stupid!
- A New Twist: EHR Extortion
- Avoiding The “Wall of Shame”
And be sure to mark your calendar for October 28-30, when we will host The 2019 OPEN MINDS Technology & Informatics Institute at the Loews Philadelphia Hotel. This year’s institute will focus on tech tools (including data management) that executive teams needs to move their organization from the concept of value-based reimbursement, to success in the new financial reality.