09.11.2019

Build the CyberSecurity Culture Your Hospital Needs, Part 2: Necessary Disruption

This year we have already witnessed twice as many breached patient records as 2018’s total of 15 million, with 285 incidents reported through June. In just the first week of September, five providers reported patient data breaches caused by successful phishing exploits that affected at least 20,000 patients, according to industry watchdog HealthITSecurity. Though many hospitals have improved  IT-based security protections and provided training to workers, dangerous data breaches are increasing rapidly across most organizations, often due to employee negligence. It is apparent that hospitals must do much more to inspire a strong top-to-bottom cybersecurity culture that will deflect or neutralize criminal attacks.

In Part 1 of this series, we examined and outlined overall conceptual strategies for designing an efficient enterprise-wide cybersecurity program that will multi-task: protect patients from data compromise, empower employees, comply with HIPAA and other regulations, and help the executive leadership team sleep better at night. We considered essential criteria such as sustainability, scalability, and aligning cybersecurity awareness with the bigger vision: your organization’s strategic goals, employees’ self-interest, and patients’ privacy.

Here in Part 2,  we’ll take a deeper tactical dive into practical solutions for achieving a sustainable security culture. Part 3, coming soon, will offer a panoply of culture-change action items gathered from across the industry

(more…)

08.21.2019

Build the CyberSecurity Culture Your Hospital Needs, Part 1: Strategic Essentials

Hospitals are overdue. Their affirming HIPAA compliance is one thing — a very good thing — but it’s not enough to protect them from the dangerous cyber attacks the healthcare industry experiences every day. A giant leap from basic regulatory compliance to the challenging achievement of a genuine cybersecurity culture is needed. Healthcare workers must become highly sensitized to identifying the risks of criminal or inadvertent compromise to valuable personal, patient and organizational data, and then understand how to overcome potential threats effectively. Even with institutional policies, security officers, training programs, and technology-based security protections in place, many individuals continue to make poor decisions that expose important data to extreme risk of compromise and theft.

Your staff, executives and vendor partners must arrive at the point when they’re no longer learning about dangers and protections but have actually incorporated this knowledge into their mindsets and daily practice. Most security professionals know this is easier said than done. Twenty years from now, perhaps consistent security awareness will be second nature for healthcare workers, as it already is for most bank employees — without learning hard lessons from painful breaches first.  Let’s talk about how a transformative cybersecurity culture can be built proactively, starting today, instead of waiting until the worst happens to your hospital.

(more…)

06.13.2019

3rd Party Security Breaches Are Surging. You Can Transform Your Risk Management Program.

Security breaches caused by healthcare providers’ business associates (BAs) are surging. Several major incidents in 2018, some of which have just been reported in the last month, have compromised over 20 million patients’ privacy. So it’s not coincidental that a group of major hospitals and hospital systems have come together in a formal concerted effort to provide better vendor risk management standards to the industry. The crucial task of individually vetting and contracting with hundreds, even thousands of business associates (per institution), which is the norm — and then managing their service levels for security has become a near-impossibility for many hospital security staffs.

Maybe this challenge seemed logical to OCR’s Department of Health and Human Services in 2013 when it expanded HIPAA regulations to include greater business associate liability for breaches. But with the explosion of outsourcing to digitally-founded BAs since then, Chief Information Security Officers have found their jobs unmanageable — to the detriment of patients’ privacy and hospitals’ systems security. The Provider Third-Party Risk Management Initiative aims to change that.

(more…)

05.30.2019

HIPAA Breaches 2019 Style: More Than Ever With No Relief in Sight

The Wall of Shame must be dripping with guilty tears. The Office of Civil Rights has just reported more data breaches than in any other month since the Department of Health and Human Services started recording healthcare data breaches in 2009. In April, 46 healthcare data breaches were reported — a 48% increase from March and 67% more than the average number of monthly breaches in the last six years. The only mild comfort is the number of actual healthcare breaches in April was only(!) 694,710 — a 24% reduction from March. That’s still a LOT of patient information!

What has caused the enormous increase in breaches?  A major rise in phishing, IT hacking, and ransomware attacks, mostly within many providers — but also within six payors. Only three breaches included business associate involvement, although one business associate breach of 206,695 patient records was the largest breach of the month. Here’s what you should know to better understand how your organization may need to beef up its precautions.

(more…)

05.16.2019

Even in 2019, Your Staff is Still a Cyber-Security HIPAA Risk. Here Is Some Free Help.

Our healthcare industry has become the largest target of all sectors for hackers primarily because of the huge volume of personal information that they can collect. Our personal information, our organization’s financial data, and especially the health and personal information of our patients offer a treasure trove for online profiteers. There’s another big reason why healthcare gets hit so often: many organizations still lack adequate policies, procedures, or resources to optimize employees’ monitoring activities and ensure privacy and security.

We’ve developed a brand new downloadable, printable high-resolution infographic to support healthcare organizations in persuading staff to consistently take precautions against cybersecurity risks created by external bad actors.

(more…)

03.8.2019

Hospital Cybersecurity 2019: Seven Essential Leadership-Level Strategies

Dangerous cybersecurity attacks have become a sweeping problem across our healthcare industry, with most hospitals having experienced not one or two, but many threats in the last three years. It wasn’t that long ago when the most common perpetrator of security breaches was a negligent employee. But the majority of threats now are from cybercriminals and other malicious actors, according to the 2019 HIMSS Cybersecurity Survey published last month. The good news is that many hospitals have conceded that these risks are not going away and are investing in tenacious battles against cybercrime. We’ve gathered data from a variety of hospitals detailing innovative and aggressive strategies they are using to minimize if not eliminate significant security incidents.

(more…)

02.21.2019

Your Mobile Device is a Security Risk! Discover Simple, Surprising Fixes.

At least 80 percent of Americans use smartphones and/or tablets, creating a digital frontier that is rife with cybercriminal activity. Worse, healthcare workers are subject to special risks of HIPAA violation if they use their devices to store or transmit protected health information of patients or access their hospitals’ networks, EHRs, and other computer systems. Cybercriminals now target mobile devices almost as much as desktops… IOS, Android, it doesn’t matter…and too many users do not use preventative measures that they take for granted with their desktops. In this post, we discuss the security risks of mobile device usage and offer a simple, informative new downloadable infographic learning tool suitable for printing and posting in your workplace.

(more…)

01.16.2019

Record Numbers of Phishing Attacks Are Succeeding. Stop Being Such Tasty Bait.

Phishing attacks, at an all-time high in 2018,  continue to pelt healthcare organizations, gaining access to invaluable patient data and personal information of staff members. Social Security numbers, credit card and bank data, logins, driver’s licenses, medical histories, and even digital signatures — is grabbed and used to make illegal purchases or otherwise commit fraud. Mobile devices have morphed into profitable new opportunities for criminals executing phishing attacks, as identifying and blocking mobile-based phishing attacks is especially difficult for both individuals and employers’ current security technologies. These exploits create entry-ways into entire hospital computer networks and wreak broadscale havoc. Phishing accounts for nearly 40% of hospital security breaches (HIMSS), and end-users are the number one enablers when they are negligent or so hoodwinked by criminal “social engineers” that they break proper security procedures.

Regular education of all end-users is a must today for all healthcare organizations and their business associates. Frequent reminders help keep the ball rolling. As a small contribution to the cause, we’ve developed a free infographic poster with key tips on avoiding common phishing ruses. Print it (scalable up to 18 X 24), and post it!

(more…)

09.20.2018

Managing the HIPAA Risks of Outsourcing to Business Associates

Today, most hospitals count on external outsourcing services for a myriad of essential functions like revenue cycle management, health information management, IT support, data storage and security, housekeeping, and many other clinical and non-clinical functions. Many of these partners are business associates under HIPAA — and therein lies major potential security risks for hospitals. Relationships with diligent, qualified business associates have proven to be a boon to hospitals’ service quality and cost efficiencies. But data security and privacy breaches either caused by business associates or enabled by their deficiencies have exploded in recent years.  Every hospital and healthcare organization must protect itself through a well-defined and enforced business associate management program. Here’s what you need to know — plus a great infographic to summarize this critical issue.

(more…)

08.22.2018

Healthcare Phishing Attacks Are Succeeding. Let’s Stop Being Such Tasty Bait.

Phishing attacks continue to pelt healthcare organizations, successfully gaining access to invaluable patient data and personal information of staff members. This information — Social Security numbers, credit card and bank data, logins, driver’s licenses, medical histories, and even digital signatures — is typically used to make illegal purchases or otherwise commit fraud. These exploits also create entry-ways into entire hospital computer networks and wreak broadscale havoc. Phishing accounts for nearly 40% of hospital security breaches (HIMSS), and end-users are the number one enablers when they are negligent or so hoodwinked by criminal “social engineers” that they break proper security procedures.

Regular education of all end-users is a must today for all healthcare organizations and their business associates. Frequent reminders help keep the ball rolling. As a small contribution to the cause, we’ve developed a free infographic poster with key tips on avoiding common phishing ruses. Print it (scalable up to 18 X 24), and post it!

(more…)