The following is a guest article by Rom Hendler, CEO and Co-Founder at Trustifi.
The past year has brought some sobering statistics to light regarding healthcare cybersecurity. Despite HIPAA and its strict regulations, reports show a staggering 25% increase in data breaches throughout the industry in the past year.
According to a 2021 Identity Breach Report, 34% of all data breaches recorded in 2020 occurred in the healthcare industry. What’s more, the HIPAA Journal’s 2020 Healthcare Data Breach Report revealed a 25% increase in breaches in this sector during that year. The number of data compromises have doubled compared to six years previous, and have tripled since 2010.
The pandemic only aggravated cyber security vulnerabilities within healthcare organizations as they struggled with the challenges of the virus. This applied not just to the obvious rigors of patient care, but also to the implementation of new technologies like telehealth solutions. A growing dependence on remote work and virtual diagnoses meant practitioners and their staff members were more dependent than ever on electronic transmission of data, which hackers targeted, contributing to the increase in breaches.
As with many industries, an organization’s email servers are a highly-targeted point of entry for malicious actors to infiltrate a network. Major ransomware and phishing attacks can be initiated by the harvesting of a single user’s credentials. Huge breaches have been attributed to these attacks, including the 2021 breach of pharmacy benefit management company CaptureRX (San Antonio, TX), an alleged ransomware incident that compromised the data of nearly 1.7 million individuals. As the industry recovers from the impact of coronavirus, it’s time to reassess how to reduce cyber security risks.
As cyber security experts, here are the three top actions we recommend to start minimizing your vulnerabilities.
Deploy User-Friendly Email Encryption. Nowhere is the security of personal information more crucial than in patient care—and since HIPAA mandated all records be converted to electronic data files, this information is now transmitted through cyberspace on a constant basis. Still, many organizations resist the use of encrypted email. This is because too many encryption systems involve cumbersome portals and multi-step procedures that make it difficult for users to take advantage on a regular basis.
AES-256 encryption is a must for healthcare environments. Encrypted messages are inaccessible to anyone other than the intended recipient, so even if it were intercepted by a hacker, the data would be useless. But email encryption itself is worthless if staff members won’t use it.
Your email encryption solution should be simple and straightforward enough in practice that users can easily send, receive, and open the encrypted messages as easily as they would any other email. Certain encryption solutions now on the market work seamlessly with major email platforms like Outlook, Gmail, and others, allowing users to encrypt emails with the click of a single button that appears as part of their regular email interface.
Utilize One-Click Compliance. Speaking of a single click, compliance with HIPAA and other regulations are top priority when it comes to the transmission of data and patient information. Such compliance should be a built-in option for users. Healthcare decision-makers should look for a cyber security solution that provides easy, one-click options that automatically observe HIPAA standards. Solutions exist that provide multiple single-click options to comply with additional regulations such as CCPA, PCI, and GDPR, which could be relevant to billing, purchasing, and commerce with business partners.
Adopt Multifactor Authentication. One effective way to reduce the risk of data breach is to implement multifactor authentication, or MFA. Typically, this strategy demands that the recipient use a registered device to retrieve a limited-time pass code or other credential, which is then used as part of their log-in. When MFA is in force, even if a hacker is able to ascertain a password, that information is rendered useless. The second credential is required before the malicious party can access the email account—obtained only through the recipient’s designated device. Healthcare organizations should seek out technology that incorporates this capability, allowing users to verify their identities with an SMS- or email-generated password, or even a biometric fingerprint scan. This way, no one but the true recipient can open the message.
These are only three of the strategies companies can take to secure their healthcare data, and the list is hardly exhaustive. We suggest a comprehensive, layered approach to security, encompassing data loss protection, advanced threat protection, anti-malware, and anti-phishing, executed through advanced features such as AI-powered optical character recognition that recognizes sensitive material in images and attachments. Ideally, solutions that encompass all these cyber security disciplines under a single vendor umbrella offer a more easily manageable and affordable route to quality cyber security.
