What are two things to do today to guard against the growing risk of healthcare data breaches?
- Do a better job of protecting passwords.
- Improve workforce security awareness training.
These aren’t very sophisticated and neither one is time-consuming or expensive. But they work because both will fight off the top methods of cyberattacks being used today in healthcare.
For full HIPAA compliance there are multiple other safeguards you should be using, but if you’re looking for immediate top priorities, these two might have the biggest payoff.
The Verizon Report
Every year Verizon publishes a Data Breach Investigations Report (DBIR or the Report) which analyzes security incidents and data breaches across twenty industries worldwide. As in years past, this year’s 107-page report is well-organized, easy-to-read and full of fascinating details.
As shown in other studies Verizon reports that there has been an increase in cyberattacks across all sectors, including healthcare. The 2022 report shows a troubling 13 percent increase in ransomware since last year, an increase which is greater than the past five years combined.
Researchers analyzed a total of 23,896 security incidents, 849 of which occurred in the healthcare sector. Of the observed cyber incidents in healthcare, 571 resulted in confirmed data disclosure. In last year’s report, researchers observed 655 healthcare incidents, with 472 resulting in confirmed data disclosures.
Cybersecurity in Healthcare
Although healthcare continues to face insider threats to data security, external threats account for 61 percent of threat actors, a percentage that has not changed compared to last year’s report. The Report noted:
“While the make-up of the insider breach has moved from being largely malicious misuse incidents to the more benign (but no less reportable) Miscellaneous Errors, we have always been able to rely on this industry to tell the insider threat story.”
Today the top three types of cybersecurity incidents in healthcare are basic web application attacks, miscellaneous errors, and system intrusions, together representing 76 percent of all healthcare breaches. By far the most predominant of the three is the “basic web application attack”. Verizon defines this as:
“… attacks that directly target an organization’s most exposed infrastructure, such as Web servers. These incidents leverage one or the other of two entry points, the Use of stolen credentials or Exploiting a vulnerability.”
The basic web application attack to gain access to a web server or an email server is mounted through tactics like stolen credentials, e.g., passwords and exploiting vulnerabilities.
The Human Factor in Cybersecurity
The Report emphasizes that people are at the center of cybersecurity risk and prevention.
“This year, 82% of breaches in the DBIR involved the human element. This puts the person square in the center of the security estate with the Social Engineering pattern capturing many of those human-centric events.”
Social engineering is a psychological tactic used to engage an email recipient and encourage them to click a link, open an attachment, or respond to an email or text. This phishing technique still works so cyber criminals still use it.
Cybersecurity awareness training for the workforce can greatly reduce the likelihood that phishing will succeed. A good time to complete training is upon hiring, and then, every year when the HIPAA Risk Analysis is completed, training should be provided again, with updates about changing tactics and new information from a reliable resource, like the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, or the American Medical Association (AMA).
HIPAA Compliance Reduces Risk
Every analysis of cybersecurity risks today provides specific steps to reduce risks. The Verizon Report is no different, and it outlines three top steps for healthcare. Each of these are embedded in a strong HIPAA compliance program – do an annual HIPAA Risk Analysis and conduct year round Risk Management for the best defense against all types of breaches, common and uncommon ones.
The Verizon Report suggests:
- Security Awareness and Skills Training
- Secure Configuration of Enterprise Assets and Software
- Access Control Management (includes a password policy, but also, restriction to role-based access, eliminating access upon departure or changed position, etc.)
Following the Security Rule Checklist in The HIPAA E-Tool® will uncover all three, plus many more. Malware protection, offsite data back-ups, software patches and updates are three other key areas that should not be overlooked.
Now that you know the top risks facing healthcare, you can take immediate action to guard against a costly breach. It’s much easier, and far less expensive to prevent a breach than to manage and pay for the damage afterward.