Every year, experts make predictions on what the following year is going to hold in terms of trends in the cybersecurity industry, what new threats we might face, and what impacts those threats might have on the average person. For years we heard about credit card security and the associated breaches that took place and that would continue to take place for years to come. At the end of 2014 we started to hear rumblings about healthcare being a target in 2015 and years to come. Why would that be? Why would hackers and thieves go after the healthcare market and what benefits would they realize if they were successful?
To answer those questions, we must very quickly look at this from a different perspective than we used to. MONEY. Today, hacking is a big business and generates millions of dollars for criminal enterprises and organized crime entities around the world. Credit card numbers, which would sell for pennies on the dollar in the underground market, were bought in volume because ultimately you would be able to use them one time before the banks were alerted to suspicious activity and shut the card down. Unfortunately, that happened to me twice in the past 2 years at Target and the Home Depot. This is a volume game. But what about medical records and personally identifiable information (PII) such as your driver's license number, social security number, and other identifying information? That is worth far more and can be far more damaging to an individual who has this stolen. The reason is quite simple. Think about how fast you can have your credit card replaced and re-issued. That happens pretty quickly and while it is inconvenient, that pain lasts a couple of weeks to a month and then you are back to normalcy. But what happens if someone steals your social security number? That becomes a lot more challenging as that is not easily replaced and ultimately is the gateway to your life.
In 2015, the top ten breaches on the Department of Health and Human Services "Wall of Shame" accounted for almost 111 million patient records. To put that in perspective, that is roughly 34% of the population of the United States that had their personal information stolen in an IT/Hacking incident in healthcare. In a majority of these instances, there was one common thread that occurred: No HIPAA Risk Assessment was conducted. If there was one conducted, the recommendations were not followed. As a result, Healthcare is a prime target for hackers for a number of reasons, some of which include:
What can healthcare organizations do about this and mitigate the risks of a breach and the hefty fines that could come with that breach? It's all about the HIPAA Risk Assessment and understanding where the gaps might reside in your people, process, and technology and ultimately how you can mitigate those risks. Another thing to consider is spending some time to understand what is required of you and avoid the Compliance Confusion that we listed above. If you don't know what you need to do and when, how can you possibly be compliant? For example, a HIPAA Risk Assessment needs to be conducted on a yearly basis to update changes in people, process, and technology. The bottom line is be educated about what you need to do to comply and seek expertise in getting assistance. For more information on how Compass IT Compliance can help your organization, contact us!