5 ways health care practices can mitigate cyberattack risk

Feature
Article
Digital cybersecurity and network protection | Image Credit: © adam121 - stock.adobe.com

The cyberattacks targeting health care are persistent and damaging.

Cyberattacks are evolving and becoming increasingly sophisticated. In the world of health care, factors such as remote care, complex IT environments, and connected health care devices are creating new avenues for cybercriminals to target.

Bad actors are eager to exploit vulnerabilities in any and all of these areas to access lucrative patient data such as Social Security numbers, driver’s license numbers, financial information, health data and insurance information.

To combat evolving and increasingly damaging cyberthreats, health care organizations must proactively operationalize key risk mitigation strategies aimed at effectively shoring up their cyber defenses.

Unyielding attacks

Threat actors are targeting the health care sector with a barrage of different attacks. Some of the most common types of attacks include hacking, ransomware, phishing and supply chain attacks.

The HIPAA Journal reported that 2023 saw a record 725 large health care security breaches reported to the U.S. Department of Health and Human Services Office for Civil Rights, beating the record of 720 health care security breaches set the previous year.1 As a result of these breaches, an average of 373,788 health care records were breached every day in 2023.

Research by the Ponemon Institute last year found that 88% of health care organizations surveyed had at least one cyberattack over the past 12 months and Check Point Software Technologies data revealed that the global health care sector experienced an average of 1613 cyberattacks per week, reflecting a significant year-over-year increase of 11%.

Critical consequences

The cyberattacks targeting health care are persistent and damaging.

One of the most recent attacks in this sector impacted Change Healthcare (part of Optum, a UnitedHealth Group company). In late February, the company reported that it was experiencing a cybersecurity issue that made some systems unavailable. The attack impacted the company’s pharmacy, medical claims and payment systems. According to news reports, the outage left some doctors unable to check patients’ eligibility for treatment or prevented them from filling prescriptions electronically. Fallout from the attack also extended to financial disruption for providers that were unable to receive reimbursements from insurers.

It is an unfortunate reality that no health care organization is immune from cyberattacks. These attacks can lead to lengthy care disruptions, patient diversions to other facilities and delayed medical procedures, all of which can jeopardize patient safety and put lives at risk.

Cyberattacks in this sector also negatively impact public trust and can inflict lasting damage on the reputation of health care organizations.

Moreover, the operational disruption of cyberattacks can lead to significant financial losses. The costs of health care data breaches are soaring. IBM’s 2023 Cost of a Data Breach report found that the average cost of a health care data breach reached nearly $11 million in 2023, increasing by 53% since 2020.

Fines for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are another financial risk associated with cyberattacks on health care organizations. The civil monetary penalty for knowingly violating HIPAA falls within the range of $13,785 to $68,928 per violation.

Best practice risk mitigation strategies

To combat pervasive cyber threats, it is essential for health care organizations to proactively adopt robust risk mitigation strategies. The following strategies can help health care enterprises prevent cyberthreats and strengthen their overall cybersecurity posture.

Implement multifactor authentication

Implementing multifactor authentication ensures only authorized users gain access to protected health information (PHI). Multifactor authentication requires a user to present a combination of two or more credentials to verify identity for login. With this layered approach to securing data and applications, if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be granted access.

Use encryption

Encryption is an essential data protection measure for health care organizations. Encrypting PHI in transit and at rest guards against unauthorized access to sensitive data. This technology changes plain text into cypher text that cannot be read or used without the proper encryption key, ensuring that even if this data is intercepted, unauthorized individuals will not be able to read it.

Encryption is also a vital security practice for helping health care enterprises adhere to data protection and privacy regulatory requirements such as HIPAA.

Provide cybersecurity training

A majority of data breaches –– 74% –– involve human error. That is not surprising considering cyber criminals are targeting employees with a barrage of malware, phishing and password attacks. Research by Fortinet found that 81% of these attacks were targeted at employees.

Providing ongoing cybersecurity training is critical for making employees the strongest link in the chain of cybersecurity instead of the weakest link. This training should reinforce the fact that everyone plays a critical role in keeping the organization cyber secure and safeguarding patient data.

Regular training sessions should equip employees with the tools and knowledge they need to spot and combat cyberthreats. This includes understanding how to identify suspicious links and attachments, the importance of creating strong passwords and promptly reporting security incidents, and adhering to security policies.

Employees should also be educated on HIPAA policies and procedures as well as other applicable government privacy regulations.

Vet solution providers

As health care organizations are becoming digital workplaces powered by technology from third-party solution providers, it is critical to vet the security and data practices of these providers. Before selecting digital technology, health care enterprises should vet this technology to ensure the security and privacy practices meet or exceed the standards of their organization.

Adopt secure, compliant mobile messaging technology

Mobile messaging and collaboration platforms are an essential technology for keeping health care teams connected, productive and engaged. To build the most secure digital workplace, health care organizations need to adopt secure mobile messaging platforms that are private by design. That means a cloud-powered mobile messaging solution that features end-to-end encryption, full IT control, guaranteed compliance and no data collection ever.

Cyberattacks in the health care industry are evolving, increasing in frequency and severity. To protect patients and prevent operational disruptions, health care organizations should proactively adopt the best practice risk mitigation strategies outlined above.

REFERENCE

1. Alder S. Security breaches in healthcare in 2023. The HIPAA Journal. January 31, 2024. Accessed April 29, 2024. https://www.hipaajournal.com/security-breaches-in-healthcare/

Related Videos
Anne M. Suskind, MD, MS, FACS, FPMRS, answers a question during a Zoom video interview
African American doctor having headache while reading an e-mail on laptop | Image Credit: © Drazen - stock.adobe.com
Man talking with a doctor on a tablet | Image Credit: © JPC-PROD - stock.adobe.com
Anne M. Suskind, MD, MS, FACS, FPMRS, answers a question during a Zoom video interview
Related Content
Medical Coding Bill | Image Credit: © Andrey Popov - stock.adobe.com

Medicare’s G2211 and thoughts on how to best use it in urology

May 1st 2024
Article

"We felt that it was important to again address this topic because we have received numerous questions regarding the correct use of this code and we have had some experience using the code now that it is active and been able to observe some of the initial payment processing by the payer," write Jonathan Rubenstein, MD, and Mark Painter.

Health policy in urology: 2024 AUA Advocacy Summit recap

Health policy in urology: 2024 AUA Advocacy Summit recap

March 21st 2024
Podcast

In this episode of Speaking of Urology®, Eugene Rhee, MD, MBA, and Logan Galansky, MD, discuss key topics in health policy and recap the AUA's recent Annual Urology Advocacy Summit.

Female doctor working on a tablet | Image Credit: © NINENII - stock.adobe.com

How to bill for performing complex urodynamics

April 23rd 2024
Article

"To answer this question, one must know what is and is not included in the global payment for the UDS, and the definition and instructions for appropriate use of modifier 25," write Jonathan Rubenstein, MD, and Mark Painter.

How APPs can bridge the gap in urologist shortages

How APPs can bridge the gap in urologist shortages

August 28th 2023
Podcast

In this episode, Janelle Bunce, PA-C, highlights the role that advanced practice providers can play in filling the gaps created by the growing workforce shortages in urology.

Woman doctor doing medical billing at computer | Image Credit: © Andrey Popov - stock.adobe.com

Coding for bladder catheterization via a Monti channel

April 8th 2024
Article

"Use code 51702 for the routine insertion of an indwelling bladder catheter, such as a Foley," write Jonathan Rubenstein, MD, and Mark Painter.

Person using calculator | Image Credit: © Jirapong - stock.adobe.com

Qualified charitable distributions and avoiding taxes on RMDs

March 29th 2024
Article

"At age 73, you must start taking distributions from the account in the form of required minimum distributions (RMDs), which are typically taxable. This means you must include the RMD in your income and pay income tax on the distributed amount," writes Jeff Witz, CFP.

© 2024 MJH Life Sciences

All rights reserved.