Healthcare data breaches started slowly in 2019 but saw gradual increases through January, eventually averaging one per day for the month. Of the 31 security breaches in January, hacking and other IT security incidents such as ransomware and malware attributed to more three-quarters of the incidents. For January, a total of 483,000 individuals were affected. For the quarter, there were a total of 94 breaches. Of the 94, 60 were either hacking or an IT incident.
With these statistics constantly on the rise, are you doing enough to protect your organization? Here are four recommendations to keep your security compliant and increase cyber awareness.
Training: Patients rely on their healthcare providers when they are sick, but they also expect that their personal health information (PHI) is secure. Proper cybersecurity training is required to stay HIPAA-compliant, of course, but even with that prevention, a lack of cybersecurity awareness is affecting healthcare patients. Cybersecurity is a constantly evolving field, so your employees should be participating in mandatory AND continuous training to stay up to date. Additionally, this training should not just be for your immediate staff. Anyone that has access to a computer should be trained, including the C-Suite. Hackers will target anyone at any time, which makes it imperative that everyone, no matter their title, is appropriately trained.
Keep It Simple: KISS – keep it simple, stupid. Healthcare is full of acronyms that require a glossary of terms to figure out. The last thing your staff needs are training manuals, slide decks, or videos that are full of “tech-talk” or hard to understand terms. When it comes to cybersecurity training, please keep it simple. Write rules and procedures in easy to understand language that non-technical staff members can understand. The Flesch Reading Ease Formula is an excellent tool to measure the complexity of training documentation. Text with a very high Flesch reading ease score (about 100) is straightforward and easy to read, with short sentences and no words of more than two syllables. Usually, a reading ease score of 60-70 is considered acceptable/normal for web copy. Along with simple verbiage, you should also make it as easy as possible to report any suspicions or instances of compromise.
3. Review and Reduce System Access: One of the biggest mistakes in healthcare organizations revolves around setting user access. It is prevalent for users to have more access then they need to do their job leading to several issues, including the misuse of credentials. IT should always be assessing the access needs for employees and limiting the amount of access based on these needs. Your employees should only have the bare minimum amount of access to do their jobs. This protects them and protects the organization. If you are not continually monitoring system access, then your organization is more open to a devastating cyber attack. If an employee's credentials become compromised, but access has been minimized, then a hacker can only get as far as those credentials allow.
4. Reward Awareness and Good Security Posture: If your employees are continuously trained, the opportunities that hackers have to infiltrate your organization are lessened. Proper training in maintaining a good security posture can also help employees identify hacking attempts or other cyber attacks. It is important to encourage your employees to report any suspicions they might have with easy to follow procedures and rewards for doing so. While training is imperative, awareness is the most valuable asset of trained employees.
If healthcare organizations consider the four recommendations above, the chances of becoming a statistic on the HHS Wall of Shame are reduced. If an organization is successfully hacked, the financial ramifications are great, the negative publicity is high, and the confidence of the community served is low. Don’t become a statistic. Make sure cybersecurity is high on the list of priorities. Remember, only you can prevent ransomware.
