For the past few weeks, multiple hospitals and health care organizations have been attacked by a newer form of malware: ransomware attacks. Simply put, a malicious software encrypts some organization’s files [like pictures or patient files] then the software asks the victim for payment to release the files via an unlock key. Unfortunately, the healthcare industry has not taken that many steps towards protecting their information until recently, and even now the attempts are not enough. Cyber criminals do not target just the financial or legal industries, they know hospitals are well funded and care for patient data.
What information are these criminals after? Healthcare organizations harvest Personally Identifiable Information (PII) and Protected Health Information (PHI) for starters. Patient’s history and personal information go back decades and they rely on their healthcare provider to protect that information at all costs. However, the healthcare industry has not put much thought into worrying about cyber attacks and breaches but they should. Healthcare organizations are quickly becoming targets turned victims; these attacks display how quickly the industry can become crippled when a solid cyber security plan is not in place.
When healthcare organizations chose to turn a blind eye to security practices, the risks involved with that choice can be steep. HIPAA requires healthcare organizations to report security breaches that result in the exposure of patient data. When such a breach occurs, the organization can be subject to very stiff penalties. Prior to the implementation of the HITECH Act, a HIPAA violation could result in a fine of up to $250,000. Today however, the maximum penalty has been raised to $1.5 million as a direct result of the HITECH Act. Furthermore, HIPAA violations that lead to a security breach can result in criminal charges being filed.
As if the penalties imposed by HIPAA weren’t enough, additional penalties may be imposed at the state level. Most states also require that individuals are notified if their personally identifiable information has been compromised. Not only are there costs associated with the notification process, but patients may choose to pursue litigation in response to the breach.
Implement a Cyber Security Plan: can be costly, but the costs definitely outweigh the risks. Although some may think that setting up a security plan can be done within the organization, it is important to remember not to do it alone. Choose and work with a well-equipped cyber security vendor who has a track record of protecting and securing information. The consulting partner chosen to work with your organization will help you to establish a solid security plan that will include all parameters so that breaches are mitigated. In my current project at the Defense Health Agency, we are the consulting partner to the U.S. Government and improve their security posture one byte at a time following both HIPAA and FISMA laws, and the guidelines of NIST Special Publication 800-53 Rev4.
Keep in mind, MedStar, Anthem, Palm Beach County health clinics, and various other U.S. and Canadian hospitals never dreamed that they would be victims of cyber attacks, however, their lessons were learned quickly with repercussions. Don’t be another statistic and be proactive. Backup and Backup!