A picture might say 1,000 words, but in the case of cyber-security, statistics speak millions. According to presentations from the Federal Bureau of Investigation and the U.S. Secret Service:
- 70% of the U.S. population has been affected by at least one data breach.
- The total cost of data breaches and data theft to date exceeds the gross domestic product of Sweden—$450 billion.
- 99.9% of data breaches are due to technology over one year old – patches are not being applied and unsupported tech is still in use.
- 60% of all data losses occur within five minutes of the breach of systems.
- 80% of email and SMS messages are spam; 56% of Internet-based email traffic is sent by spambots.
In the healthcare industry specifically, the story the facts tell is just as grim.
One in three Americans were affected by healthcare breaches in 2015, according to a report from Bitglass. That’s more than 113 million individuals.
- The average lost or stolen record costs a healthcare organization $363 per record on average, per a Ponemon Institute report.
- Hollywood Presbyterian’s information systems were held hostage in February 2016 for $3.6 million in Bitcoin.
No matter the technology used in the healthcare industry today—e-signature software, EHR platforms, wearable devices, smartphones, tablets, or other software or hardware—providers can either work to mitigate risk or watch the organization spiral into potentially uncontrollable vulnerability. Today’s electronic environment leaves little room for laissez-faire security efforts if a healthcare provider wants to remain safe from attack.
Reducing cyber-risk for healthcare organizations can (and should) come from many different angles. Here are eight ways to jumpstart your cyber protection:
- Limit remote connectivity. The fewer access points to your healthcare data network, the better. Restrict your bring-your-own-device (BYOD) policy to include only organization-administered devices. This way, you can control the data on those devices, including malware/anti-virus protection and remote data wiping. Also, be sure to police off-the-shelf device connections to networks to make sure there aren’t any suspicious devices looking for “back-door” entry.
- Block tracking cookies. Try to keep online traffic as invisible as possible. By blocking tracking cookies, third parties will be unable to follow online traffic. It can also prevent giving someone easy access into a secure account via automatically populated usernames and passwords.
- Limit employee access to social media and external email sites. Like entry into your data network, the fewer the number of people with access to social media and email sites equals fewer people who have access to potentially distribute or access sensitive information.
- Develop high standards for vendors. Almost every healthcare organization will work with a third-party technology firm of some kind, such as an e-signature provider or a billing software provider. It’s important to make certain that their security efforts meet or exceed your expectations. Perform a thorough audit on the vendor and ask detailed questions about the technology’s security before you sign a business associate agreement. [Editor’s note: Read this case study to learn how one clinical research organization vetted SIGNiX before implementing e-signatures into its practice.]
- Train your staff. Cyber-security risk is lowest when everyone in an organization takes part in cyber protection. Make sure all employees—no matter their department—are trained on the proper protocols for handling data and using networks.
- Audit. Regularly investigate your organization’s security effectiveness and spot any weaknesses that need addressing. It may also be wise to have a third party take an objective look at your security systems and processes. At a minimum, security audits should be done annually. Failure to have HIPAA-compliant security analyses performed is the most-often sanctioned violation by the DHHS Office for Civil Rights.
- Cooperate with law enforcement if a breach or attack occurs. Unfortunately, no organization will be 100% protected from a cyber breach. If an attack occurs, work with law enforcement officials as openly as possible so that the source of the problem can be detected and addressed.
- Consider cyber insurance. Even though your organization can certainly lower its risk of a cyber-attack, cyber insurance may be worth the investment. Again, no organization is fully immune to an attack, and cyber insurance can help reduce the financial burden an organization could face if a breach occurs. Be certain any insurance you purchase covers actions by rogue employees.
Please contact Berry Herrin at firstname.lastname@example.org or 404-459-2526 if interested in learning more about this topic in general or for a conference or group. Herrin spoke on cyber-risk, cyber insurance and human resources issues in cyberspace at the 2016 American Health Information Management Association (AHIMA) conference.
Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 30 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.