“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stephane Nappo
It is well known that there has been a digital boom in various industries from retail to education to, of course, healthcare. Noticeably, with the expansion of digital comes a surge in data breaches particularly in the healthcare industry. With this surge comes a great need for proper breach prevention tactics.
In 2021, more than 550 organizations reported healthcare data breaches to HHS, impacting more than 40 million individuals, with a single data breach estimated to cost $9 million. Considering record-breaking inflation, it is safe to assume that this number will continue to soar.
Breaches can range from large cyberattacks featured in the news to smaller privacy breaches affecting 500 or fewer patients. The impact of smaller breaches can be just as detrimental to healthcare organizations. According to Enzoic, smaller breaches often go unnoticed which can lead to companies being breached repeatedly.
A small breach can be a simple release of information (ROI) process error involving a patient’s protected health information (PHI). MRO’s research shows there are at least 40 disclosure points within a healthcare system. Most of those disclosure points occur outside the health information management (HIM) department in areas where individuals are not trained in PHI disclosure management.
The Precision Medical Initiative, the 21st Century Cures Act, and the US Department of Health and Human Services Office for Civil Rights has contributed to the push for making PHI more accessible to patients. The COVID-19 pandemic has also accelerated digital healthcare, allowing patients to check in for appointments and view their records online or on a mobile device. However, increased accessibility makes this private information more vulnerable to data leaks and breaches making breach prevention measures an invaluable facet of patient security.
Quality assurance (QA) is a crucial aspect of breach prevention. Research shows that around 30% of ROI authorizations are initially invalid, and without QA checks, approximately 10% of those will be processed with mistakes.
Common reasons for security breaches include:
- Ransomware
- Phishing
- Social media
- Use of unauthorized applications
- The Cloud
- Hackings
It is easy to assume that data breaches are carried out by malicious external parties, but as many companies are learning the hard way, data breaches most often occur via an unsuspecting internal party. The Ponemon Institute’s report suggests that 61% of insider threat incidents are due to negligent insiders. Hackers can prey on insiders via phishing emails, and they can also gain access to sensitive information through an insider’s mobile device.
It is important to acknowledge the vulnerabilities of mobile devices: they can be stolen or lost, and hackers can gain access through unsecured WIFI or weak authentication. You can practice breach prevention with mobile devices by avoiding using public or unsecured WIFI, keeping up with device maintenance, using a two-step authentication, and make sure your device is with you before leaving a location.
There are steps and practices that you can implement for breach prevention. It is better to acknowledge that data breaches are inevitable than to assume your organization is immune to such attacks. Here are five best practices for breach prevention.
Five Best Practices for Breach Prevention
1) Create a patient data protection committee.
This committee should oversee the organization’s patient privacy compliance program and conduct quarterly risk analyses and assessments. Serving as the incident response team, each committee member should review policies and procedures annually. In addition to these responsibilities, a patient data protection committee should perform mock HIPAA audits using Phase 2 protocols from the OCR.
2) Provide ongoing education and training for workforce members.
Many breaches are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for PHI disclosure management. Organizations should provide formal training at least once a year to ensure compliance with applicable federal and state laws. Provide reminders of policies and procedures through emails, posters, and patient privacy awareness activities.
Some free helpful tools include:
• OCR’s website
• OCR’s YouTube channel
• AHIMA’s Body of Knowledge
3) Implement HIPAA’s security rules for administrative, physical, and technical safeguards.
Make sure your organization’s risk analysis is current and complete. This is the key to avoiding potential threats and vulnerabilities. Use technologies that strengthen your compliance program and access monitoring software. For guidance on technical safeguards, visit the HHS website.
4) Test the effectiveness of your compliance program.
There are several ways to do this. Through internal, external and penetration audits. Through social engineering, which involves fake phishing emails, fake phone calls, and checking desks for exposed passwords. And finally, through mock breach exercises.
5) Assess your Business Associates’ compliance.
With proper due diligence and periodic vendor assessments, healthcare providers can safeguard their organizations against breach by way of their BAs. Additionally, Business Associate Agreements (BAAs) can ensure HIPAA compliance and hold subcontractors liable for potential violations.
When it comes to breach prevention it is better to start sooner rather than later, making the Investment now will pay off immensely in the future.
