In 2022, there were 707 large scale data breaches (and many smaller ones) affecting healthcare organizations. This was down slightly from the record in 2021. The high value of personal health data on the black market causes thieves to target healthcare companies of all sizes.
Healthcare companies have a responsibility to do due diligence to prevent data breaches, and to manage them when they occur. While it’s not possible to completely prevent hacking, there are steps you can take to reduce your and your patients’ risk.
What is the Biggest Cause of Data Breaches?
By far, the most common cause of data breaches is weak or stolen credentials. People tend to use easy passwords, use the same password for multiple accounts, or write passwords down and then become careless.
The second biggest cause is social engineering, which includes things like phishing (to steal credentials) and also business email compromise, where a bad actor impersonates a high ranking member of the organization and tricks somebody into emailing them sensitive information. Other causes include malware finding its way onto an employee computer, application vulnerabilities, simple errors, and even malicious insiders.
Ransomware is another common form of malware healthcare companies might face, where information is locked down by malware.
What Are the Steps to Minimize the Risk of Privacy Breaches?
Understanding the causes of data breaches can help you protect them, and the most basic way is to protect credentials. Employee education is also important. Some basic ways to prevent data breaches include:
- Using multi-factor authentication. One of the issues with enforcing strong passwords is that then people can’t remember them and then…they write them down. Multi-factor authentication means that a stolen password won’t get the thief anywhere. Typically, this means an app on the employee’s phone or a system that sends them an SMS message, but biometrics can also be used to support multiple factors.
- Keeping all software up to date and promptly installing all security updates on all devices that connect to the network. This includes personal devices such as phones. Employees should be required and reminded to update their personal devices as far as the hardware supports, including reminding them that this will also protect their personal data.
- Training employees in how to recognize and avoid phishing scams. Occasional drills (where IT sends out a fake phishing message and records how many people are fooled by it) help. Make it clear to employees that they should never click on a link in an email, even if they were expecting it.
- Establishing a system where important information requires validation. For example, if the CIO emails you asking for something out of the database, the protocol should be to call the CIO and make sure they actually asked for it. This is the best way to prevent business email compromise.
- Have employees who are traveling or working from home use a VPN, which helps prevent compromises caused by using insecure wifi.
- Use role-based security so that employees have access to only the data they need to do their jobs. This reduces the amount of data that can leak if a single account is compromised.
- Use remote monitoring to look for unusual network activity.
- Properly delete data that is no longer needed, following compliance requirements.
- Require employees to use anti-theft apps on their phones and remind them to back up phone data to the cloud so that a phone can be wiped, if needed, without costing them their data.
- Traveling employees should be trained to avoid viewing data on laptops in public areas, keep track of their devices at all times, and not to leave devices unattended in hotel rooms where they might tempt low paid employees.
What Are the Steps To Manage A Data Breach?
Nothing can completely eliminate the possibility of a data breach. You can reduce the risk by backing up all data properly, which can also help protect you from the impact of ransomware.
You should have a data breach protocol in place before anything happens. If you do have a data breach, then follow these steps:
- Freeze everything and lock it down. Have all employees immediately change their passwords. Change any physical access codes to server rooms. Take affected equipment offline but do not turn it off.
- Remove any information publicly posted on your own website or systems. Search the internet to find where things might have been posted.
- Call your lawyer. You may face lawsuits related to the breach and they need to start working.
- Check your auditing and logging systems to see what they find out. You may also have to turn them back down.
- Investigate the breach thoroughly. Work out what happened, which patients were affected, and what information may have been breached. This may involve interviewing people.
- Inform all of your patients there was a breach. The GDPR, for example, doesn’t prevent data breaches, but it requires you to notify your patients so that they can watch for potential identity theft. In the U.S., HIPAA also requires that you notify affected individuals. You are also required to inform the media if more than 500 residents of a jurisdiction are involved. If you have a patient portal, patients should be required to change their passwords. Make sure your customer service people are ready to take any information patients might have that can help.
- Determine how the breach happened. This can be used to refine your protective measures and improve training. Maybe somebody left their laptop connected in a hotel room. Perhaps somebody was reusing passwords. Strengthen training to close these holes.
- Make sure that the breach is closed. You may need to update software, remotely wipe devices, etc.
- Update your protocols to keep it from happening again.
You should put together a breach response team if you can, and be ready to assemble a data forensic team to establish the cause of the breach. You can’t prevent all data breaches. However, good cybersecurity and cyber hygiene practices can reduce them substantially. If you do have a breach, make sure you have protocols in place to deal with it rapidly, learn from it, and keep it from happening again. Healthcare information is valuable to thieves, so take all due care to protect your patients from the criminals.
If you would like to deliver value-based care to patients in underserved communities, Clinify Health can help you. Clinify Health is a digital healthcare organization that partners with healthcare providers to support value-based care delivery for underserved communities. You can learn more about Clinify Health features or contact us today to learn how the solutions can improve the economics and outcomes of healthcare while distributing higher quality care at a lower cost.