Are you certain that your healthcare workers understand the risks to your PHI and other confidential information? A clinic in Baltimore thought theirs did, but they were proven wrong when they discovered their patient records were up for sale on the Dark Web.
In 2016, a Baltimore substance abuse treatment facility was hacked. Their patient records ended up on the Dark Web, according to DataBreaches.net. Information such as dates of admission, what patients were taking methadone, and what their dosing requirements were, along with the names of doctors and counselors were exposed to cybercriminals.
The prominent Washington University School of Medicine learned about a phishing incident on January 24, 2017, when an employee responded to a phishing attack on December 2, 2016. The Office of Civil Rights (OCR) said that 80,270 individuals might have been affected.
“This phishing scam allowed some of Washington University School of Medicine’s patient data to potentially be accessed, the school reported on its website. The accessed employee email accounts may have included names, birth dates, medical record numbers, diagnosis and treatment information, other clinical information, and Social Security numbers in some cases.”
Texas-based Urology Austin, PLLC revealed that they experienced a ransomware attack on January 22, 2017. Within minutes of the attack, they shut down their computer network. However, OCR reported that 279,663 individuals’ private data might have been affected.
They immediately took steps to restore the affected data and their operations. A Urology Austin representative told local news that they didn’t pay the ransom and that they were able to restore the patient information from a backup.
The odds that a data breach can happen to your healthcare organization have greatly increased.
Why? Because healthcare workers generally lack cybersecurity awareness. The following are some alarming statistics:
- 24% of healthcare workers lack awareness about phishing emails as compared to 8% in non-healthcare sectors
- Only 18% of healthcare employees were able to recognize phishing emails. Physicians were 3 times worse at it.
- 88% of healthcare workers opened phishing emails.
- 50% of doctors were in the “risk” category, making them likely to commit a serious data breach.
- Healthcare employees exhibited less knowledge about cybersecurity than the larger population.
- 24% of physicians couldn’t identify the common signs of malware.
- 30% of healthcare workers took risks that put the safety of patient records at risk.
- 23% failed to recognize forms of malware.
- 18% chose the wrong actions when they were given scenarios to respond to. Many thought it was okay to share patient data via their personal email accounts or over insecure cloud platforms.
The high costs of a lack of cybersecurity awareness
The Identity Theft Resource Center revealed that there were 1,091 breaches in 2016 that affected 15 million records from hospitals, dental clinics, senior care facilities, and others. This is a 40 percent increase from the previous year. As a result, the Dark Web is flooded with “fullz” (full packages of personally identifiable information) as well as patient insurance information.
Healthcare hacking and IT incidents accounted for the majority of large-scale incidents in 2017.
According to the 2017 Cost of a Data Breach Study: Global Overview, healthcare data breach costs are the highest for the seventh straight year. Data breaches from healthcare organizations cost $380 per record. This is greater than 2.5 times the global average in other industries.
The Answer
It’s obvious from this data that healthcare entities are not properly educated and prepared to defend themselves against sophisticated hacking attempts today. From these statistics, you can see that these organizations are at risk of HIPAA noncompliance.
Your first layer of defense is your employees. They require professional security awareness training that includes both privacy awareness and demonstrations on how to recognize phishing attempts and what to do if they receive one.
It’s only through ongoing security awareness training that you can keep your healthcare employees apprised of the latest sophisticated threats, how to mitigate them and what to do protect your organization from severe, negative consequences.
Beyond ensuring that your PHI and other confidential data is secure and protected at all times, you must provide security awareness training that’s conducted by a professional who understands PHI and what healthcare employees need to know.
According to the US Department of Health and Human Services, employee cybersecurity awareness training should meet the following four objectives:
- Develop and demonstrate foundational-level knowledge of cybersecurity.
- Employ best practices to protect privacy and safeguard Controlled Unclassified Information (CUI).
- Recognize cyber threats to information systems.
- Identify and report potential cybersecurity and privacy incidents promptly.
Don’t Become Another Statistic.
5 More Tips to Keep in Mind:
Regular and Recurring Security Training Is Essential.
Hackers are constantly developing new, sophisticated methods to trick your employees into clicking on malicious links and downloading dangerous software. For this reason, it’s critical that your employees stay up to date on the very latest security threats and how to avoid them. Additionally, refresher training will keep them on their toes and save you a lot of worries.
KISS (Keep It Simple and Secure)
If the security measures you teach are complicated and difficult to follow, your employees won’t remember them. Instruction should be clear and concise with ways for employees to easily remember your policies and rules. This is another reason why it’s always best to defer to IT professionals to train your staff.
Your Employees Need to Know How to Respond to Security Incidents.
Along with teaching your staff how to avoid security incidents, they should be aware of how to appropriately respond to them. What should they do if they come across a malicious attachment or link? What should they do if they accidentally click on one? Make sure they know what to do and who to contact.
Teach Your Employees about Cybersecurity for Their Personal Use.
It’s also important to teach your healthcare staff about network security for their personal purposes, such as when purchasing items online or what to do if they receive phishing emails on their personal accounts. They should also know how to protect their personal information on your organization’s network.
Make Sure Security Support is Easily Accessible.
Ensure your staff knows where to go if they have security questions or concerns. Your IT Managed Services Provider (MSP) will have a 24/7 Help Desk for support and assistance with these concerns or anything regarding technology. Plus, if an employee does come across a ransomware attempt, your MSP can intervene remotely to remove any malware and ensure your PHI and confidential data remains secure.