The Impact of Cybersecurity Breaches in the Healthcare Industry

Cybersecurity breaches reached unprecedented levels in 2017. Few were spared as businesses and government entities alike -- including Equifax, the British National Health Service and even the U.S. National Security Agency, as well as dozens of others -- were hit with data breaches. While frequent targets like the financial sector and retail industries experienced their fair share of attacks, the healthcare sector is now the primary target of hackers, accounting for 25 percent of all data breaches. Understanding why this is happening and the consequences of it will help you improve your company's cybersecurity defenses and mitigate future threats.Why Is Health Data a Target?Healthcare providers and payers store a lot of detailed personal information about their patients. Everything from Social Security numbers to patient address information and credit card data is often located on the same central server, making it easily accessible for those who want to commit financial fraud. However, it is the health insurance information included in digital medical files that offers up the biggest opportunity for illicit financial gains. Hackers can sell this data on the black market, or retain it and commit medical fraud in the form of free healthcare or medical equipment.

The Consequences

Data breaches in the healthcare industry have significant and widespread consequences for both providers and healthcare payers. Healthcare providers are increasingly moving from paper records to digital ones. A breach of highly sensitive data raises important questions about the overall security of such data and the reliability of the institution trusted with it. In addition, security threats are not always the result of outside attacks. According to Breach Level Index, about 10 percent of all breaches are the result of former or current employees.For healthcare payers, the issue is more complex. The National Health Care Anti-Fraud Association reports that most fraud is committed by health insurance providers. This fraud occurs in the form of over-billing, billing for services never rendered, and "up-coding" or overcharging for procedures or treatment received.Given the complexity of such fraud partly due to unauthorized access, disclosure or an IT incident, it is sometimes impossible for healthcare payers to decipher the true financial costs. Payers, both private and government-funded, must then increase their costs to account for higher operational expenses, which means higher premiums and co-pays for consumers. The U.S. Department of Health & Human Services, Office for Civil Rights, lists more than 300 active cases of data breaches.

Threat Management and Detection

HIPAA Assessment

Improving your cybersecurity strategy is an essential step in preventing the next data breach. While the 2003 HIPAA Privacy Rule required that all healthcare providers complete a HIPAA Risk Assessment, few organizations have actually completed this critical preventative step. This assessment is designed to ensure that every precaution is taken to secure patient information in compliance with HIPAA. While it's not against regulations to conduct an in-house audit, an outside review will likely be more complete and offer better protection from costly fines, which are now aggressively being issued by the Office of Civil Rights to any organization found in violation of HIPAA. Front- and back-office compliance, log-in monitoring, protection from malware, and data-critical analysis are just a few of the areas that are checked during an audit.

Endpoint Protection

Depending on the size of your organization, there could literally be hundreds of endpoints connections that lead back to your data, including your servers. Each desktop computer, laptop and mobile device represents a potential vulnerability in your cybersecurity network. Effective endpoint security should serve as a supplement to a strong firewall, separate private and public Wi-FI networks, rigorously tested anti-malware software, and a comprehensive network security infrastructure. Under the supervision of a centralized administration, endpoint security should include privileged user controls, data loss prevention, network access controls, some form of encryption for data, removable storage devices and email communication. Strong application controls should also be in place to prevent the unauthorized use of programs by both employees, as well as outside sources.

Detection and Prevention

Proper threat detection and response protocols can be the difference between a minor incident and the next big data breach. A multi-layered approach to security -- which includes threat analysis, malware threat hunting software and threat prioritization -- can help you take a more proactive stance to securing your data, which means better protection from the next attack. Training machine learning algorithms on security data will help you keep up with the ever-evolving threat landscape, as such algorithms can continuously learn from new data inputs. However, given the prevalence of ransomware attacks, secure data backup measures should always be in place as no precaution is guaranteed. While it is possible to manage all of these requirements in-house, the complexities of big data and HIPAA regulations are best managed by a trained consultant who can provide managed threat detection for your data in compliance with state and federal laws.Cybersecurity threats are an increasingly common problem across industries. However, the consequences of a breach in the healthcare sector have the potential to be devastating. Keeping this data secure and in accordance with HIPAA is critical for healthcare providers and payers alike if they want to maintain the trust of consumers while remaining compliant with the law. With the right information and an offensive approach to cybersecurity, you can keep both your company's data and reputation secure against the next big threat.