Cybersecurity and Healthcare: Protect Your Patients and Your Organization

By Melissa Meeker

Data breaches maintain their reign in the headlines as cyberattacks continue to happen at a disturbingly high frequency. Consumer information has never been more vulnerable, and no industry is immune to the threat of an attack. In an environment where no organization is safe, healthcare providers are especially vulnerable.

Fortunately, established regulatory and security frameworks can help healthcare providers strengthen their data security. These frameworks exist to both ensure compliance with important fundamental security principles and to provide best practices when it comes to protecting sensitive information. For healthcare providers, these frameworks often form the foundation of the organization’s policies governing data security.

Don’t wait for a breach to occur before taking a strong look at your organization’s cybersecurity policies – now is the time to act. Here’s a closer look at how you can protect sensitive patient data.

Regulatory Frameworks of Cybersecurity

First, make sure your organization is in compliance with all applicable regulatory frameworks. The most common ones include Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH).

PCI DSS sets the standard for protecting payment systems from breaches and theft of cardholder data. This framework affects merchants, financial institutions, and all point of sale vendors. PCI DSS is enforced by the individual payment brands or by acquiring banks.

HIPAA legislation provides data privacy and security provisions for safeguarding medical information. HIPAA applies to all healthcare providers, health plans, and healthcare clearing houses. Enforced by the Department of Human and Health Services Office of Civil Rights (OCR), there are three HIPAA rules that have a significant impact on cybersecurity.

1. Security Standards for the Protection of Electronic Protected Health Information (referred to as the Security Rule). This rule establishes a national set of security standards for protecting important patient health information that is being housed or transferred in electronic form.
2. Standards for Privacy of Individually Identifiable Health Information (commonly known as the Privacy Rule). This rule establishes the first national standards to protect patients’ personal health information (PHI).
3. Breach Notification Rule. This rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.

HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) and was signed into law to promote the adoption and meaningful use of health information technology. HITECH extends the privacy and security provisions of HIPAA, increases penalties for violations, offers financial incentives for use of Electronic Health Records (EHR), and requires notification of a PHI breach. Completion of these objectives is believed to improve the quality of care, lower cost and provide patient safety.

Security Frameworks of Cybersecurity

While legislation can help enforce minimum standards for protecting patient information, it often isn’t enough to deter a cyberattack. Security frameworks have been established to provide additional protection.

Targeted companies spent an average of $879,582 because of damage or theft of IT assets*

It’s helpful to think of a security framework as a set of guidelines or best practices that can be used to set up an organization’s overarching security program. Two common security frameworks include the International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST).

Both security frameworks provide checklists and guides that are useful in developing an organization’s cybersecurity policy.

HIPAA enforcement fines and penalties

I’m a small organization. Should I be concerned?

Unfortunately, no one is safe from cyberattacks. You don’t have to be a major player in the industry (think Anthem) to be a target. The reality is that targets are usually chosen at random. For example, one method used by hackers involves an internet sweep, which searches for vulnerable organizations that do not have certain security patches or updates installed.

43% of cyberattacks target small business*

Phishing or spear phishing is another popular tactic that utilizes fake emails sent to one or more of your employees. While more organizations are training their staff to recognize phishing tactics, all it takes is one click for the attacker to breach your system. Phishers play the odds and buy hundreds of thousands of email addresses and wait for an unsuspecting employee to click their bogus link. This opens the door for a data breach, as the link usually contains ransomware, spyware or malware.

43% of small business cyberattacks included phishing/social engineering attacks*

Spear phishing involves researching the intended victim using resources such as the company website or your Facebook or LinkedIn profile. Because spear phishing incorporates personal information, these emails can seem more authentic to the victim – resulting in a higher click rate. Say your organization just completed open enrollment for health insurance. A spear phishing scam may involve an email that includes the logo from your insurance company and a request for clarification on some piece of information, such as an enrollment option or a forgotten beneficiary. It is very easy for employees to fall for these types of emails because they seem relevant and timely.

How do I protect my organization?

As a healthcare provider, the importance of reading the HIPAA security rule in its entirety cannot be over stated. The OCR will use the regulations as their checklist to ensure that you are meeting the required standards. You should also form a compliance group or committee within your organization led by appointed compliance officers. This group should include representatives from multiple relevant areas, including your IT personnel or vendor. This group will assume responsibility for developing policies and procedures.

To date, the OCR has issued hundreds of thousands of dollars in fines and has referred 638 cases to the Department of Justice for criminal investigation regarding protected health information (PHI). The most common compliance issues cited include lack of safeguards of PHI, impermissible uses and disclosures, lack of patient access to their PHI, and disclosure of more than the necessary PHI.

Most cybersecurity breaches are the result of technical and human error. To mitigate this risk, there are several steps you can take:

1. Ensure that your IT professionals use encrypting devices.
2. Make sure all computers and server operating systems’ software is up to date.
3. Install antivirus software, firewalls or filters to help protect your network.
4. Change passwords frequently and only give access to patient information to essential staff.
5. Conduct user training within your organization.
6. Perform risk assessments before selecting third party vendors to determine their security measures.

By being proactive, having the appropriate policies and procedures in place, and putting them into practice, you’ll be better defended against cyberattacks and breaches.

For more information or help with cybersecurity risk assessments, internal control reviews or policy and procedure implementation, contact your Clark Schaefer Hackett advisor.

* Source: Small Business Trends, January 2017, “CYBER SECURITY STATISTICS – Numbers Small Businesses Need to Know”

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a Clark Schaefer Hackett professional. Clark Schaefer Hackett will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.