3 Information Security Risks Facing Healthcare Organizations (article)
Information security presents a particular challenge to hospitals, physician practice groups, ambulatory care centers and other healthcare organizations. Unauthorized users have shown high interest in healthcare records and data, and according to the Ponemon Institute, the cost of breached healthcare data can be upwards of $363 per record. Additionally, healthcare organizations have rigorous compliance requirements they must follow regarding protection of patients’ sensitive data.
Securing information from hacker groups and staying compliant with federal agencies requires a robust risk management strategy. A key component of any risk approach is to focus on the areas of highest interest to your organization. The Health Insurance Portability and Accountability Act (HIPAA), information technology and physical loss of data number among the three most common information security risks healthcare organizations are up against. Steps should be taken to evaluate these three areas and the processes your organization is using to manage them.
Patient data, also known as Protected Health Information (PHI), are among the most sensitive type of information available. PHI has shown to have a tremendous resale value on the black market.
The federal government established strict oversight of PHI to help protect patients’ privacy. Oversight primarily takes the form of HIPAA, which outlines 77 points of compliance that healthcare groups must meet related to their management of PHI. Organizations found to be noncompliant with HIPAA face steep consequences. Penalties could be as much as $1.5 million per violation.
Healthcare groups must perform HIPAA self-assessments and undergo HIPAA audits to determine how they are meeting the 77 points of compliance. These evaluations are critical because they can pinpoint where organizations are not meeting the mark. Common deficiencies uncovered include unencrypted data, employee negligence, data stored on devices and lack of due diligence with healthcare business associates.
To strengthen HIPAA protocol, it is recommended that healthcare organizations periodically consult with professionals who have a background in HIPAA rules and compliance. A review from an outside organization may be able to identify compliance issues and provide best practices for how to address them before the deficiencies lead to larger complications.
From electronic medical records to prescription ordering software, technology enhances an organization’s ability to provide quality healthcare. Healthcare-related technology also poses a high information security risk. It transmits PHI, and many systems also use legacy technologies and software that may be more vulnerable to breach in the modern cyber risk environment.
Healthcare organizations may also find managing information technology security a challenge because the role often falls to an individual within the organization who has other large tasks to oversee. All healthcare organizations are required by HIPAA to have a privacy officer, and in many healthcare groups, the responsibilities for privacy and information technology fall to the same person—the Chief Information Officer.
Although related, it is essential to understand that HIPAA and information technology security are not synonymous. Complying with HIPAA does not necessarily mean that the information technology that uses PHI and other sensitive data is adequately protected. A Chief Technology Officer tasked both with HIPAA compliance and information security technology may not have the time or resources to delve into a thorough evaluation of both points of risk. Because cybersecurity is an enterprise-wide issue and not limited to information technology, a specialist who understands the cyber threat landscape may be the best course of action to protect the organization.
It is recommended that organizations have their information technology controls evaluated periodically or look for an outside provider who can assess their current control environment. Organizations that do not have the resources to have a role solely dedicated to information technology may also want to consider outsourcing some or all of their information security and cybersecurity functions.
Physical Loss of Data
One of the most common ways that unauthorized users access a healthcare organization’s PHI and other sensitive data involves physical loss or theft. Cell phones and unencrypted laptops can provide any user with physical, logical or remote access to an organization’s assets. Hard copy documents, disks and electronic files are also potential targets for unauthorized users.
Physical loss of data can come from employee negligence, such as leaving a laptop in an unlocked car, having hard copies of files unattended or losing track of a work cell phone in a public place, but the devices may also be vulnerable to social engineering from “quasi-insiders.” These groups can be trusted third parties who have historically been given access to the healthcare organization’s network, servers or other information technology assets. Quasi insiders can pose a risk because they have had a relationship with the organization, which may mean they have less oversight than other outside groups.
Third-party controls can go a long way in protecting an organization from physical loss of data from quasi insiders. Organizations should have processes in place to monitor vendor and third-party activity that alerts the organization to anything unusual that may be occurring, such as requests to access assets that the third party or vendor has previously not needed.
Another way an organization can test its third-party controls is through a social engineering assessment. This risk management exercise evaluates how vulnerable an organization is to being manipulated by outside users and can pinpoint weaknesses in how policies and organizational staff respond to common sources of data loss.
Stay Alert, Stay Proactive
The risk management environment is in a constant state of flux, and so it is critical that your organization periodically review how well its control environment is holding up to the emerging changes and threats. Assessments, information technology audits and other comprehensive evaluations can help pinpoint where strategies can be strengthened and controls improved.
Copyright © 2016, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).