The healthcare industry is undoubtedly one of the industries most targeted by hackers and other cybercriminal activity, mostly due to the fact that so much valuable data is stored in healthcare organizations’ databases. Due to the sensitivity of this information and how much is at stake, hackers that get ahold of that data will often hold it for ransom with threats of erasure or exposure.
Like all data breaches, they have a huge effect on the lives of the people represented by the data as well as the businesses who hold that data. Healthcare organizations and businesses have an added layer of responsibility due to the content and sensitivity of the information they manage. Besides the ethics of protecting healthcare data, there are also laws in place that hold Healthcare organizations to a certain standard. The most ubiquitous being the Health Information Privacy Protection Act (HIPPA).
There are a growing number of new pieces of data security and privacy legislation being introduced every day like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Data protection and privacy should be a top priority for all organizations. Everyone is a target, and these days it’s more of a question of when, not if, you’ll experience an attack. A couple of takeaways from the GDPR that can be applied across the board are: it doesn’t matter whether or not your data breach was a mistake, take responsibility for your data and report any errors or breaches to the proper channel as soon as possible.
As mentioned before, businesses of all sizes can be targeted, and a lot of times smaller businesses don’t have the same resources and budget that their larger counterparts have. This doesn’t mean that small businesses are doomed, it just means they have to be smarter and more precise with how they use their security budget.
Check out the tips below to adopt stronger data security and protection practices for your small healthcare business.
Healthcare Data Governance
Data Governance is a term that represents the process and practices that organizations use to protect their data — imperative in the healthcare industry. According to the 2019 data risk report, healthcare, pharma and biotech had the most exposed, sensitive files on average (113,491 files), right behind the finance industry (352,771 files).
- Discover where protected health information (PHI) is stored. From there, categorize and classify that PHI. Mark or flag sensitive information and take note about who has access. Once you’ve gone through your files and folders, put together your data to help create a risk assessment.
- Enact least privilege access. This means that team members only have access to the files necessary to do their jobs. Audit these permissions and privileges regularly.
- Eradicate stale data. This is data that is no longer needed, much of which poses an unnecessary security risk.
- Seek assistance where needed. If managing this seems out of scope, consider bringing in a consulting business or using a service or software to help you manage.
What Makes Healthcare Businesses More Susceptible to Attacks?
The Healthcare industry is an attractive prospect for hackers, here are some reasons why:
- Healthcare info is valuable. A single patient’s information can be worth around $1000, so you can imagine how much a large hack is worth to criminals.
- Increase in tech complexity without the security upgrades to match — when a healthcare business acquires a great new device, they don’t always look into its security features. Hackers can target new technologies’ security that hasn’t been fully hashed out and target the vulnerabilities.
- There is a lack of funding and understanding when it comes to IT and cybersecurity in the healthcare industry. There aren’t enough resources being invested in securing devices and networks.
The most important part of your data security practices is awareness. If your team members aren’t on the same page that’s when costly mistakes can occur.
- Make data and cybersecurity a priority in your business and make sure it’s known by your team. Business owners should set the tone to help create a culture that values data security practices.
- Create a security plan that lays out procedures, including what to do in the event of a breach.
- Communicate with and educate employees with regular security news and updated training when necessary. Make this training and education about HIPPA law a part of onboarding.
Use the tips above for more solid data security, just remember that if you don’t keep teammates on the same page, your hard work could be moot. Mistakes and risks from within the organization, insider threats, are the most common cause of breaches. See more on general small business cybersecurity tips here.
ABOUT THE AUTHOR(S)
Rob Sobers is a software engineer specializing in web security at Varonis and is the co-author of the book “Learn Ruby the Hard Way.”
Software Engineer, Varonis