The COVID-19 pandemic has been incredibly challenging for the healthcare industry. There has been an unprecidented increase in demand that led in many cases to the collapse of health infrastructures. As if that wasn’t enough, there has been an unprecedented surge in cybercrime.
According to new data, the most commonly attacked sector in 2020 was healthcare,1 and experts believe this trend will continue into 2021 and beyond. Increased adoption of work from home models and telemedicine have created new vulnerabilities that hackers and threat actors are more than eager to exploit.
Protected Health Information (PHI) threats are a significant concern for every healthcare-related organization because:
- Healthcare data breaches cost an average of over $400 per record. The cross-industry average is close to $150 per record.2
- Over 90% of healthcare organizations reported at least one security incident in the last three years.3
Keep reading to learn how your business or organization can protect itself against sophisticated ransomware and other threats that affect healthcare data security and compliance.
NIST CSF and Security Risk Analysis
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a joint initiative by the US government and the private sector designed to provide a globally applicable policy framework of cybersecurity guidance. This framework outlines how organizations and businesses can assess and enhance their capability to prevent, detect and quickly respond to cyberattacks.
A new federal law sanctioned on January 5, 2021, plans to reward Health Insurance Portability and Accountability Act (HIPAA) covered entities that have implemented NIST CSF. If your business can prove that you have applied the NIST CSF for the previous 12 months the law will remove an significant burden by reducing fines and providing you with audit relief.
One of the crucial measures highlighted by HIPAA and NIST CSF to reduce risk is security risk analysis. It helps evaluate the threats/vulnerabilities that affect the privacy, integrity and accessibility of PHI.
Current Stats on Ransomware… a Growing Threat
The following stats on ransomware threats are concerning:
- Ransomware cost the healthcare industry over $20 billion in 2020.4
- The attack vector caused close to 10% of breaches reported in 2021.5
Under the HIPAA privacy rule, a ransomware attack is a notifiable violation even if PHI is just encrypted and not copied or stolen.
With businesses getting smarter by having offline backups to recover their data and operations rather than paying a ransom, cybercriminals are resorting to new ransomware approaches such as:
Hackers use this approach to encrypt healthcare data and then make copies of the data for themselves. The targeted organization then receives a message demanding payment for the decryption keys as well as a warning threatening disclosure of the protected data if the ransom isn’t paid.
In this approach, an organization receives a ransom note demanding payment and is threatened with disclosure of protected data, while their actual patients receive ransom notes demanding payments as well. You can imagine how devastating an attack like this would be for any business.
Healthcare Security Risk Analysis Myths Debunked
Listed below are five of the most common myths regarding security risk analysis.
Myth #1: It is optional for small providers
Truth: All HIPAA-covered entities must perform a risk analysis. The same applies to providers who want to receive Electronic Health Record (EHR) incentive payments.6
Myth #2: Installing a certified EHR fulfills the Meaningful Use (MU) requirement7
Truth: Performing security risk analysis is a must even if there is a certified EHR. The MU requirement covers all PHI you maintain, not just what is in the EHR.
Myth #3: The EHR vendor takes care of all privacy and security matters
Truth: The EHR vendor may provide information, support and training on the privacy and security matters of the product, but they are not responsible for making the product compliant with privacy/security regulations.
Myth #4: Security risk analysis needs to focus only on the EHR
Truth: You must analyze all electronic devices that handle PHI and not just the EHR.
Myth #5: Risk analysis needs to be conducted just once
Truth: To comply with the regulations, you must constantly ramp up your security posture. This includes conducting regular risk analysis.
If you have read this far, chances are you want to ramp up your security and compliance posture through continual security risk analysis.
If you’re worried about where to start, TechSeven Partners can help. It’s usually easier and more effective to collaborate with an experienced partner like us for risk analysis. To get started, contact us now to request a consultation.
Sources and definitions:
- IBM Cost of Data Breach Report
- US Healthcare Cybersecurity Market 2020 Report
- Healthcare Innovation
- Verizon DBIR 2021
- The EHR Incentive Program gives incentives for healthcare providers who use EHR technology to improve patient care.
- The MU requirement highlights the minimum federal standards for EHR.