The use of technology in healthcare offers a lot of advantages for providers. It streamlines workflows, automates administrative tasks, enables improved access of care for residents of rural communities and more.
Unfortunately, there’s also a price to pay for the benefits of healthcare IT, and it is cybercrime. Attacks through data breaches, ransomware, phishing scams, website spoofing, malware and debit and credit card fraud continue to cost hospitals, health systems and other healthcare providers.
The number of cyberattacks in the United States shot up last year due to the COVID-19 pandemic. The FBI reported that cybercrime complaints climbed from 1,000 to 3,000 to 4,000 daily, and it’s estimated that the monetary loss from cybercrime in 2020 was approximately $945 billion, a more than 50 percent increase in two years.
Much of the cybercrime affecting the healthcare industry comes in the form of data breaches, which occur through a variety of incidents, including stolen devices, hacking, human error and negligence and cyberattacks. The average healthcare data breach costs an estimated $6.5 million, about $429 per patient record, and stolen medical data for 10-20 times that of credit card information.
One-third of all data breaches in the U.S. occur in hospitals, with the average incidence affecting 25,575 records. It’s estimated that there are one billion medical images, from X-rays and ultrasounds to CT scans, online and accessible to anyone with an internet connection and free-to-download software.
The Costly Effects of Cybercrime
Even as cybersecurity measures have improved, the threat to healthcare data is prominent. Some researchers point to unprotected servers used by providers as one of the primary reasons for healthcare data breaches. Other issues that have emerged with more healthcare employees working remotely include lost or stolen devices, a lack of physical IT support and use of public Wi-Fi networks.
Tasked with adhering to specific government compliance standards, providers have extra responsibility in addressing cybercrime. Those that create, receive, or transmit protected health information (PHI) are required to comply with the Security Rule of HIPAA and its administrative, physical and technical safeguards or risk costly civic and/or criminal penalties.
Criminal HIPAA violation penalties range from a fine of $50,000 and up to a year in prison to $250,000 and up to ten years of jail time. Civil penalties vary from $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations, to $50,000 per violation, with an annual maximum of $1.5 million. Those punitive actions don’t take into account the damaged reputation and decreased customer trust a healthcare provider often experiences when sensitive data is stolen.
Providers encounter multiple challenges complying with HIPAA, including keeping communication secure, protecting mobile devices, addressing outside threats and staying aware of a changing regulatory environment. In addition to malicious attacks, they face accidents or errors that could lead to a HIPAA violation, such as mistakes by employees, vendors or contractors or a lack of plans and procedures to combat cybercrime.
Investing in a Cybersecurity Strategy
Implementing and maintaining high levels of cybersecurity is not only possible for healthcare providers but also necessary. It’s a complex and sometimes costly process that requires numerous resources and is difficult to maintain because new types of attacks regularly emerge, but the more prepared providers are to combat cyberattacks, the more they reduce the threat of leaked data and theft of other valuable information.
The first step is ensuring cybersecurity processes, policies and procedures are up-to-date. Once a plan is developed for dealing with a cyberattack if it occurs, it should be tested routinely.
Another step is performing comprehensive risk analysis using a risk management framework. According to the National Institute of Standards and Technology (NIST) the following actions are recommended for healthcare risk assessment management:
- Categorize information systems.
- Identify and implement security controls.
- Access security controls.
- Authorize information systems.
- Monitor and adjust security controls.
A third key step is to regularly educate and train provider staff on cybersecurity. They should be informed about the risks of using a USB drive from an unreliable source and how to identify emails with infected links or attachments that might contain ransomware.
Data should be backed up routinely, and all smart medical devices used by the provider should be monitored and contain firewalls and anti-virus protections. Additional solutions to supplement a cybersecurity strategy consist of email encryption technology, two-factor authentication and single sign-on (SSO).
Keeping vendors in check encompasses a large part of decreasing the risk of a data breach. Vendor incidents are behind some of the largest healthcare data breaches, and many healthcare providers employ the services of multiple vendors. Providers should require those with whom they partner to verify the risk assessment and management policies and procedures they use.
At RingRX, we encrypt data to prevent unauthorized breaches wherever data is stored. All phone system data is stored in highly secured and protected cloud-based servers, giving you the best combination of convenience and security. Contact us today to learn about how to set up your free 14-day trial of RingRX.