The threat of a data breach in a health care facility is daunting. Privacy is the foundation of hospitals’ information systems, and compliance with the Health Insurance Portability and Accountability Act (HIPAA)– along with the facility’s reputation–will be jeopardized if just one patient’s information falls into the wrong hands. Health care facilities are particular targets for two reasons:

• Type of data stored: Health care facilities may keep a patient’s social security number, insurance and financial account data, birth date, name, billing address, and phone number, making them a valuable target for cyber attack.
• Many potential vulnerabilities: Health care facilities are obligated to provide access to several external networks and web applications in order to stay connected with patients, employees, insurers or business partners. The volume of data shared represents a risk.

It is much less costly, both from a financial and reputational point of view, to prevent a cyber breach than to notify individuals and the Department of Health and Human Services of a breach as required by the Health Information Technology for Economic and Clinical Health Act (HITECH). As a result, administration must respond by preventing, detecting and responding to cyber attacks or misuse of patient records through a well-orchestrated cybersecurity program.

What are the Risks?

The first step in protecting your business is to recognize the parts of your processes that are prone to cyber attack.

Applications and systems: External applications and systems are ripe for improper access to sensitive patient data. Since administrators do not have complete control over the security of external applications, facilities should perform web application security testing on a regular basis.

Software flaws: Weaknesses in software and computer systems attract hackers and intruders. The results of this cyber risk can range from minimal mischief-such as creating a virus with no negative impact-to malicious activity-stealing or altering information. Intrusion prevention and detection systems can alert you of cyber attacks and allow you to respond in real time.

Malicious code (viruses, worms and Trojan horses): There are a various types of malicious code that can put your organization at risk:

• Viruses: This type of code requires that the user take an action before it can infect your system, such as open an email attachment or go to a particular webpage.
• Worms: This code propagates systems without user intervention. They typically begin by exploiting a software flaw or weakness. Once the victim’s computer is infected, the worm will attempt to find and infect other computers.
• Trojan horses: This code is software that claims to be one thing while it is acting differently behind the scenes (for example, a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder).

Implementing systems of preventing these attacks, including firewalls and regular security controls is essential to protecting sensitive data.

Email lacking encryption: HIPAA guidelines require that some email communications with physicians’ offices and hospitals be encrypted to protect patient information. Since most communication is now electronic, monitoring these means is especially important.

Insider attack: Current or former employees ranging from billing clerks to clinicians should understand that the consequences for consulting patient records without a valid cause can range from serious punishment to termination. Often employees are simply curious, and only a severe policy can effectively prevent this type of data loss. Many facilities implement log monitoring, for which logs of access to sensitive patient data are regularly reviewed.

Physical loss of information: Another potential risk is that of lost or stolen laptops, which lead to missing personal information related to patients or employees.

In the event of a security breach, HITECH calls for notification of the individuals concerned and Health and Human Services (HHS) in a short time span.

Risk Management

In the case of a surprise HHS or HIPAA inspection, facilities must prove that they are compliant with all regulations and requirements outlined in HIPAA and HITECH.

To reduce your facility’s cyber risks, it is wise to develop a comprehensive risk management plan. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your facility’s information systems. Thereafter, perform regular security risk assessments, which will give you a better understanding of the risks posed to your protected health information and personally identifiable information outlined in these two acts.

You should also examine the controls in place at your facility to ensure they are sufficient for regulatory requirements. Executing this process helps your organization remain in compliance and demonstrates diligence and a commitment to compliance in the case of an audit.

Consider the following when implementing risk management strategies:

• Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed and importance to the facility.
• Perform security risk assessments at least on an annual basis and update it whenever there are significant changes to your information systems or the facilities where systems are stored, or when there are other changes that may impact the vulnerability of the organization.

Selecting an ISP

In addition, your organization should take precautionary measures when selecting an internet service provider (ISP), which provides access to the internet, website hosting and other services. To select the ISP that will best reduce your cyber risks, consider the level of security, privacy and reliability it offers.

Transferring the Risk

Cybersecurity is a serious concern for all health care facilities. Contact INSURICA to learn about our risk management resources and insurance solutions, such as internet and media liability, security and privacy liability, and identity theft insurance today.

This article is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2023 Zywave, Inc. All rights reserved.