The HIPAA Journal reported that there were 2,181 healthcare data breaches from October 2009 through 2017. These resulted in the theft and/or exposure of more than 176 billion healthcare records, which includes over half of the U.S. population. However, this number is likely higher as only HIPAA-covered entities that experience a breach affecting more than 500 individuals are required to report the incident.
Why is the healthcare industry being targeted?The healthcare industry is a prime target for cybercriminals due to the large amount of high-sensitive patient information that can be accessed including date of birth, social security number, next of kin, and current and previous addresses--all of which can be used to steal a person’s identity. Stolen healthcare data may also be used as leverage to extort money from healthcare organizations that are desperate to protect patient information.
What you can do to prevent a healthcare data breachAs you can see, it is imperative that healthcare organizations take steps to reduce the possibility of a data breach. Here are 10 ways that you can tighten your data security:
- Conduct an annual security risk analysis: Like a wellness exam that physicians encourage for patients, healthcare organizations should at minimum conduct an annual HIPAA security risk analysis. The HIPAA Security Rule requires periodic risk analysis already, so think of this as killing two birds with one stone. This analysis will help you identify vulnerabilities and areas of improvement.
- Choose trusted partners: When you outsource services like medical billing, coding or transcription, your healthcare data is only as secure as the measures your third-party service provider has in place. Make sure you carefully select a trusted provider like Applied Medical Systems whose U.S. based team has more than 50 years of experience in the healthcare industry.
- Provide continuing education: Educate and re-educate employees on current HIPAA rules and regulations so that they fully understand the implications of a data breach, as well as the consequences for violating them.
- Monitor devices and records: Part of continuing education for employees includes reminding them to never leave electronic devices or paper records unattended. The other piece of this is to make sure every employee is training in the proper procedures for logging on and off devices--especially for shared devices.
- Limit access to patient information: Users should only have access to patient healthcare data that relates to their position. Restricting access and managing user permissions are essential components of preventing a healthcare data breach.
- Create a wireless network for guests: The most secure way to offer patients and visitors wi-fi access without allowing access to your organization’s entire network is to create a subnetwork.
- Restrict use of personal devices: Your IT staff has a big enough job ensuring the security of your internal network and devices. Have a clear “bring your own device” policy that outlines which devices (i.e. smartphones, tablets, laptops) are allowed to be used internally and externally. Can these company-issued devices be brought home? Will you allow personally-owned devices to connect to your internal network? Implementing and enforcing this policy can help prevent a healthcare data breach.
- Update your IT infrastructure: When it comes to technology and data security, the only permanent thing is change. Keep equipment secure by updating or replacing outdated hardware that can no longer have security patches available.
- Don’t skimp on IT staff: Of course, you can’t operate a healthcare organization without physicians and nurses, but the same holds true for quality IT staff. Your security measures are only as strong as those you hire to help support and manage them.
- Invest in a good legal team: Healthcare data breaches have become so prevalent that the best thing you can do is prepare with a “when, not if” mentality. Take a proactive, versus reactive approach and have good legal representation on standby in the event of a breach.