According to HHS’ Office for Civil Rights (OCR), an average of 57 health data breaches are reported each month, putting sensitive information at risk for millions of people. Healthcare organizations are prime targets for malicious attacks because health information contains private and deeply personal data that can be used to extort, embarrass, or harm individuals.
Source: HIPAA Journal, September 2023 Healthcare Data Breach Report
Effective data protection measures are paramount to safeguarding the integrity and security of patients’ information. Healthcare data security has become more complicated as records are now electronic, as well as in hard copy. This means that data security must cover computer systems, network infrastructures, electronic communication protocols, and the people who engage with these systems.
The Health Insurance Portability and Accountability Act (HIPAA) offers some guidelines on the proper handling of sensitive healthcare information, but it is not prescriptive. The most impactful element of these widespread data breaches is to find their root cause: compromised login credentials, outdated system software, bad habits. Most of the data breaches could have been avoided using the following four steps to protect health data.
1. Strengthen login mechanisms.
Enforce multi-factor authentication (MFA) on all system logins and on customer/member logins. In October 2023, accounts at 23andMe were compromised in a credential-stuffing attack that leveraged usernames and passwords taken from various website breaches and “stuffed” them into other websites, like 23andMe. The breach could have been avoided if users had not reused passwords or if MFA was required on all internet logins.
2. Know where health data is stored.
Inventory health data in the organization, including the vendor supply chain. Recent (July 2023) HCA data theft occurred from an “external storage location” used to format email messages. Data on 11.2 million people across a 2-year period was involved in the breach. An analysis of data inventory, coupled with enforcement of data retention, could have reduced or eliminated the breach by recognizing data was exposed outside the organization. Applying an active data deletion process, such as a records retention schedule, can reduce exposure to older data.
3. Update system software.
Every business relies on software and IT systems to operate. In the month of July, 9 of the OCR reported healthcare breaches were the result of a vulnerability in a file transfer software that had not been updated. The MOVEit Transfer vulnerability was widely publicized in June, urging IT managers to upgrade, but many did not upgrade in time. Keeping systems software up-to-date, specifically the software facing the internet, is mandatory. Have a policy and automated software update process to continually receive, evaluate, and install patches from software makers.
4. Evolve phishing education.
Phishing attacks remain the most common entry point for hackers. Email can reach millions of organizations simultaneously and hiding among the vast internet traffic entering organizations every minute. The volume alone is too attractive for bad actors not to take advantage of. Attackers continue to evolve their tactics, so do not continue to use the same stale phishing education. New attack vectors include call-backs where users are tricked into calling a phone number to enter PINs, SSNs, or other sensitive information. Update your education content to keep up with new attack methods and keep users on the knowledge edge.
In recognition of the end of Cyber Awareness Month, sponsored by CISA.gov, use the time now to reinforce best practices for healthcare data hygiene. RazorMetrics takes healthcare data security seriously. The top four practices mentioned here are just the beginning. Keep vigilant, as the people behind the breaches are always evolving, and keeping data safe must evolve faster.