In a recent blog post, we discussed the extraordinarily powerful “perfect storm” of cyber risk faced by healthcare organizations today. This storm is escalating in size, force, and risk levels. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting this data, requiring healthcare providers and their business associates to adhere to specific guidelines. However, even with HIPAA compliance, data security risks remain. In this blog post, we will explore the current state of data security risks that persist despite HIPAA compliance.
The misconception of complete data security with HIPAA compliance
Healthcare organizations are entrusted with the protection of sensitive patient data, making data security a top priority. HIPAA compliance is a vital component of data security in the healthcare industry, but it is not the ultimate solution. Achieving compliance is an ongoing process that requires continuous evaluation and improvement. The ever-evolving nature of cybersecurity threats means that healthcare organizations must remain vigilant and adaptable to defend against new risks. Relying solely on HIPAA compliance can create a false sense of security, leading to potential vulnerabilities and gaps in an organization’s data protection strategy.
Healthcare compliance trends
For healthcare organizations, compliance—while required to run operations—is further complicated by a few key factors that shape the achievement of that compliance. Regulatory agencies operate with helpful intentions and healthcare companies must comply. However, compliance does not equal data security. Despite satisfying regulatory requirements:
- Over 93 percent of healthcare organizations have experienced a data breach in the past three years
- 57 percent have had more than five data breaches during the same time frame
Read more about the HIPAA Privacy Rule, including a compliance checklist here.
When breached, regulatory penalties are steep
HIPAA violations carry steep penalties and can reach a maximum of $1.5 million per year. While the range is $100 to $50,000 per violation or record, they can add up. Penalties can also result in criminal charges and jail time.
Non-compliance detection
Regulatory bodies aim to protect sensitive patient data and they do so with strict enforcement of compliance requirements and steep fines for the inability to meet those requirements. However, non-compliance is often evident after a data breach has occurred and the vulnerability has been made visible, forcing a HIPAA data breach notification.
source: The HIPAA Journal
Audits are increasing
HIPAA audits are increasing. All IT systems that contact ePHI must have audit controls and create logs of system activity and information system activity reviews should be conducted on audit logs, access reports, and security incident tracking reports. Despite information system activity reviews being a requirement of the HIPAA Security Rule, the Office for Civil Rights’ (OCR) investigations have revealed many organizations only conduct reviews on an ad-hoc basis in response to potential security incidents. Regular reviews allow HIPAA-regulated entities to rapidly identify unauthorized access to ePHI by malicious insiders and hackers. All too often, regulated entities discover unauthorized access by insiders and hackers has been ongoing for months or years.
The evolving cybersecurity landscape
Cybersecurity threats are continually evolving, and healthcare organizations are prime targets for cybercriminals. According to the Ponemon Institute, healthcare has the highest average data breach cost per capita.
There has also been an increase in the number of records lost in each breach, especially with organizations working more digitally than ever. Over 90% of clinics and hospitals in the US have moved to EHRs and EHR platforms, often using several platforms across health systems, without necessarily following up with the required security. In some cases, cybercriminals were able to breach and dump entire EHR databases and sell them in underground fraud markets for hefty profits.
Legacy IT systems
Healthcare providers often use outdated systems and lack the necessary cybersecurity infrastructure to adequately protect their data. One survey by the Healthcare Information and Management Systems Society found that 73% of healthcare provider organizations use legacy IT systems, which are costly to support and often rife with gaps in security. This makes the sector an easy – and potentially lucrative – target for ransomware operators. But this vulnerability is not solely down to software and systems – it’s also down to how data and devices are managed within individual organizations.
The sprawl of data and healthcare IT
Healthcare organizations must bridge a sprawling IT infrastructure, including internal and external sources. For example, data centers, the cloud, file servers, storage, smartphones, laptop computers, and tablets, work together with multiple third-party technologies across the supply chain such as ultrasound machines, surgical tools, monitoring devices, ventilators, and others. Further complicating this spread of technology types is how they are used. For example, in a hospital, each patient’s bed will use different devices. All of this data from all of these multiple and diverse sources must be funneled into the electronic health record (EHR) system.
Cost and complexity of managing security tools
While compliance, encryption, DLP, authentication, and access control are critical starting points, healthcare data security strategies and technology solutions must do more. Their role is to protect sensitive data (PHI, PCI, and PII) via a comprehensive and effective data security posture. This is especially important in the broad and diverse reality of healthcare IT and the explosion of healthcare data that must be managed and protected.
Some common data security risks in healthcare organizations include:
1. Accidental Exposure: Human error can lead to accidental data breaches, such as sharing sensitive information with unauthorized individuals or mishandling data. Employee training and implementing strict access controls can help mitigate this risk.
2. Phishing and Social Engineering Attacks: Cybercriminals often use phishing emails and other social engineering tactics to trick healthcare employees into divulging sensitive information or granting access to secure systems. Regular security awareness training and robust email security measures can help protect against these attacks.
3. Insider Threats: Employees with malicious intent or those whose accounts have been compromised pose a significant risk to healthcare organizations. Monitoring user activity and implementing strict access controls can help identify and mitigate insider threats.
4. Ransomware: Ransomware attacks encrypt an organization’s data and demand payment for its release. Healthcare organizations must implement robust backup and recovery strategies and maintain up-to-date security measures to protect against ransomware.
5. Data exposure in the Cloud: As more healthcare organizations move their data to the cloud, the risk of data exposure and unauthorized data access increases. Ensuring robust cloud security and implementing data activity monitoring, data risk analytics, and compliance automation technologies are essential.
6. Third-Party Risks: Healthcare organizations often work with third-party vendors who have access to sensitive data. Ensuring that these vendors maintain appropriate security measures is crucial to protect patients’ information.
7. Prioritizing security on Data Stores: Too often, organizations prioritize securing data stores containing highly sensitive information but fail to extend protection to all interconnected data stores. Those organizations, who only focus on meeting minimum compliance requirements using a regulation-based checkbox approach, leave the door wide open for security breaches. Organizations need to close this security gap by implementing controls on their data with the same level of importance as they do for their networks and endpoints. Between the growing sophistication of cyber attacks and the interconnectivity of digital systems, a single unsecured data store can compromise your entire organization.
Conclusion
HIPAA compliance is a critical starting point for healthcare organizations to protect their patients’ data. However, it is essential to recognize that compliance alone does not guarantee data security. Healthcare providers must implement robust data security measures, including employee training, access controls, and monitoring user activity, to safeguard their patients’ valuable information. By going beyond HIPAA compliance, healthcare organizations can better protect their patients and maintain their trust in the face of ever-evolving cyber threats.
Join our webinar: Your Private Healthcare Data: The Perfect Storm for Cyber Risk, featuring Terry Ray, SVP, Data Security GTM, Imperva and guest speaker, Lisa Gallagher, Executive Cybersecurity Consultant on Jun 28 2023, 11:00 am PT.
Or, learn why healthcare organizations around the world trust Imperva Healthcare solutions to deliver end-to-end protection and compliance for critical healthcare data and applications.
Try Imperva for Free
Protect your business for 30 days on Imperva.
