Organizations that handle healthcare data need to understand the risks, requirements, and ramifications in order to make prudent decisions on how best to protect it. Let’s start with the risks.
HIMSS published their 2018 healthcare survey and found that most healthcare organizations (over 75%) have had a significant security incident in the past 12 months. Health data is being targeted by hackers for the value it brings on the dark web as it can be used for identity theft to open new credit accounts. It takes far longer for an individual to determine that their identity has been stolen than it does for them to be alerted to unusual activity on a stolen credit card, so the personal information in health data is more valuable to hackers.
How do the hackers gain access to the data? Email phishing tops the list, but compromised networks and web applications, misconfigured cloud services, and being able to figure out credentials were other common methods.
Of course HIPAA compliance provides a framework to secure this valuable data, so why is this still such an issue? In many cases organizations do not understand how to properly use the HIPAA guidelines to establish the appropriate technical controls, policies and procedures, including security solutions, threat monitoring and incident response. If your organization falls into this category, an assessment against the HIPAA guidelines by a qualified assessor can help you identify and close gaps that could leave you vulnerable.
Willful neglect of the HIPAA compliance guidelines is another reason that organizations fail to protect health data. This has prompted harsher penalties for those found non-compliant, both after a breach or during a proactive audit by HHS. The chart below shows the steep price paid by organizations that failed to meet compliance, and should serve as a warning to confirm your own adherence to the guidelines.