Cybersecurity is more than meets the eye. Proper security contains several layers, including adequate training and technology, to meet HIPAA compliance guidelines. Healthcare organizations are responsible for implementing robust cybersecurity strategies to prevent cyberattacks.
The healthcare industry claims to prioritize cybersecurity efforts, yet 18% of organizations allocate only 1-2% of their IT budgets to cybersecurity. Covered entities who choose not to prioritize proper cybersecurity leave themselves vulnerable to increasingly prevalent cyberattacks.
Healthcare-related cyberattacks can be attributed to several factors. A lack of employee training increases the likelihood of human error, and portal-based communication is only as secure as a patient’s email account. Neglecting two-factor authentication makes it easier for a hack to occur, and not having a business continuity plan affects an organization’s ability to recover. Here are four aspects that leave healthcare organizations vulnerable to attacks.
Inadequate cybersecurity training
Employees are often unaware of their role in data breaches, making them one of an organization’s most prevalent security risks. In fact, human error accounted for 33% of healthcare breaches in 2020 alone. A lack of proper cybersecurity training places a target on healthcare organizations big and small.
HIPAA encourages covered entities to train employees how to recognize, report and respond to cyberattacks. A recent study by The Advanced Computing Systems Association found that with proper training employee threat detection rates increased nearly 20%. Yet, while the average healthcare professional receives 12 years of training before entering the field, 32% of employees claim they never received cybersecurity training from their healthcare system.
Healthcare providers must protect their network with ongoing cybersecurity and HIPAA compliance training, including lessons on recognizing cyber threats and keeping protected health information (PHI) secure. With proper training, employees are more likely to identify and respond to attacks, such as display name spoofing or phishing emails containing ransomware, before it’s too late.
Using portal-based email
HIPAA requires healthcare providers to safeguard electronic protected health information (ePHI). With this in mind, healthcare professionals often rely on patient portals to send and receive ePHI. Not only do portals make it more difficult for patients to access messages from their provider, but security depends on the users as well.
Patient portals work by keeping communication between provider and patient within a portal’s boundaries. The sender and receiver must log into the platform to read and respond to messages from their doctor. Keeping ePHI behind a portal’s walls can protect information from common cyberattacks, but hackers know about the various ways providers share ePHI with their patients. Suddenly, the target shifts from provider to patient. A patient’s ability to keep logins and passwords safe is key.
More than 60% of people admit to regularly reusing passwords across multiple sites, which enables hackers to infiltrate multiple accounts with one stolen password. According to the Verizon 2021 Data Breach Investigations Report, 61% of breaches result from compromised credentials.
One option for security professionals within healthcare is to advocate for communication with patients regarding password privacy and security measures.
Instead of placing the weight of keeping ePHI secure on patients, another option is for healthcare providers to leverage email encryption to send HIPAA compliant email. Email encryption can ensure the safety of ePHI in transit and at rest and eliminates the need for logins and passwords.
Neglecting two-factor authentication
A security feature like two-factor authentication (2FA) can seem cumbersome and unnecessary, but skipping a second step to verify user identities leaves passwords, patient information and organizations vulnerable to cyberattacks.
According to a recent Google study, only 37% of Americans use 2FA. And last year, Microsoft attributed a lack of multi-factor authentication to more than 99.9% of compromised accounts. A lack of security increases the likelihood of network security breaches.
2FA is one of the most effective ways to reduce risk and safeguard PHI against cybercriminals, as it requires a user to confirm their identity twice. Security questions and PINs are common tactics. Having 2FA requirements makes it difficult for a cybercriminal to gain unauthorized access to an account and, in turn, an entire organization.
Not having an attack strategy
A healthcare organization’s goal is to minimize risk and avoid becoming a victim of a cyberattack, but not all security strategies are airtight, and providers must know how to react if hackers compromise patient data.
The average time to contain a healthcare-related data breach is 287 days, 75 of which an organization spends attempting to stop the attack and control the damage. Since January 2021, the average healthcare data breach has cost providers approximately $9.32 million per incident. This estimate does not include fees levied by the Office for Civil Rights for HIPAA violations. Time and money spent on resolving a breach can significantly impact a provider’s ability to serve a community and its patients.
With more than 2,200 cyber attacks happening each day, providers must establish a business continuity plan (BCP) before falling victim to a breach. A BCP is a process for covered entities to discover, avoid and mitigate system risks and often includes a disaster recovery plan if a breach forces a network out of service.
To establish a BCP, providers must:
- Oversee a business impact analysis (BIA) to identify the impact of a cyberattack, such as lost income, spending increases and customer dissatisfaction
- Determine how an organization can and will operate at a minimal level if a breach were to occur
- Devise a disaster recovery plan to restore systems and evaluate the immediate impact
Understanding how an organization will respond during an attack makes it easier to restore operations and networks and focus on a swift and efficient recovery process.
Twenty-four million Americans had their PHI stolen in 2020 as a result of 505 reported healthcare data breaches. Organizations that neglect to enhance their cybersecurity measures will only add to the number of data breaches now and later. By diligently training employees, enforcing 2FA, leveraging email encryption and preparing an attack strategy, organizations can better prepare to address the ever-present threat of cyberattacks and protect their ability to serve their patients.