2020 has been a transformative year for the healthcare industry. COVID-19 underscored how essential and delicate our medical infrastructure can be. We changed our working environments and how we interact with one another.
In order for us to protect our physical health, we instituted remote work forces, implemented telehealth services, thermal scanners, COVID-19 contact-tracing technology, and turned to more digital engagements and reliance on third-party vendors, all while researching for a vaccine. What developed was an increase in risk for our data health.
The attack surface for any medical, research, or healthcare institution has been hard hit with cyber attackers recognizing the value of the information stored and transmitted. Bad actors have also identified vulnerabilities specific to the healthcare industry such as numerous medical devices are connected to unsecured networks; devices can be outdated and behind on expensive upgrades; staff needs access to patient data instantly – and while cyber awareness training could be conducted – in life or death instances, a system may not be logged off properly, exposing records to hackers lying in wait.
RECENT HEALTHCARE DATA BREACHES
Universal Health Services
University of Missouri Health Care
Piedmont Cancer Institute
Third-party vendor Blackbaud that provides customer management and financial services to Nuvance was breached.
The University of Tennessee Medical Center
Ransomware Attack on third-party vendor Blackbaud, the software provider.
Joslin Diabetes Center
Third-party vendor for fundraising and donor relations, Blackbaud, experienced a ransomware attack.
As much as these institutions try to practice reasonable and appropriate cyber hygiene in their morphing world, it is a monumental effort just keep systems current and operational. Security unfortunately sometimes becomes an afterthought. How to prioritize security investments is the first step to a reasonable security strategy. How do you define reasonable security for your organization?
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Meaningful Use require that organizations implement security controls that are “reasonable and appropriate” for their organization. To comply with these guidelines, the regulations instruct each organization to (1) select its security controls based on risk assessments, and (2) oversee the effectiveness of those controls using risk management.
Your risk assessment should provide guidance on how to balance your organization’s mission (what your business does), objectives (your business goals), and obligations (the care you owe to the public or others). Basically, your risk assessment guides you how to define your duty of care and establish your acceptable risk.
In an age of social distancing and increased digital exposure, ensure you take care – duty of care. We can help.
*U.S. Department of Health and Human Services Office for Civil Rights