The COVID-19 pandemic threw multiple challenges at the healthcare industry. The sector saw a steep increase in demand that led to the collapse of health infrastructures in different parts of the world. What’s more, the industry experienced an unprecedented cybercrime surge.
According to an IBM report, the most attacked sector in 2020 was healthcare, and experts expect this trend to continue into 2021 and beyond. Increased adoption of a hybrid workforce model and telemedicine have created vulnerabilities threat actors are eager to exploit.
Protected Health Information (PHI) threats are a significant concern for every healthcare-related organization because:
- According to TechJury, healthcare data breaches cost an average of over $400 per record. The cross-industry average is close to $150 per record.
- Over 90% of healthcare organizations reported at least one security incident in the last three years, according to the US Healthcare Cybersecurity Market 2020 Report.
Keep reading to learn how your organization can protect itself against sophisticated ransomware and other threats that affect healthcare data security and compliance.
The Role of NIST CSF and Security Risk Analysis
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a joint initiative by the US government and the private sector. It provides a globally applicable policy framework of cybersecurity guidance. This framework outlines how organizations can assess and enhance their capability to block, detect and respond to cyberattacks.
A new federal law sanctioned on January 5, 2021, plans to reward Health Insurance Portability and Accountability Act (HIPAA) covered entities that have implemented NIST CSF. The law takes an enormous burden off by reducing fines and providing audit relief if you prove you have applied the NIST CSF for the past 12 months.
One of the crucial measures highlighted by HIPAA and NIST CSF to reduce risk is security risk analysis. It helps evaluate the threats/vulnerabilities that affect the privacy, integrity, and accessibility of PHI.
There is a lot of misinformation regarding security risk analysis making the rounds. Before discussing that, it is essential to know about a significant threat to the healthcare industry — ransomware.
Know the Expanding Ransomware Threatscape
The following stats prove how severe ransomware threats are:
- Healthcare Innovation reported that ransomware cost the healthcare industry over $20 billion in 2020.
- The attack vector caused close to 10% of breaches reported in 2021, according to Verizon DBIR 2021.
Under the HIPAA privacy rule, a ransomware attack is a notifiable violation even if PHI is just encrypted and not copied or stolen. With businesses getting smarter by having offline backups to recover their data and operations rather than paying a ransom, cybercriminals are resorting to new ransomware approaches such as:
Double-threat ransomware: Hackers use this approach to encrypt healthcare data and make copies for themselves. The targeted organization then receives a note demanding payment for the decryption keys as well as a warning threatening disclosure of the protected data if the ransom isn’t paid.
Triple-threat ransomware: In this approach, an organization receives a ransom note demanding payment and is threatened with disclosure of protected data, while their patients receive ransom notes demanding payments as well.
Healthcare Security Risk Analysis Myths Debunked
Listed below are five of the most common myths regarding security risk analysis.
Myth #1: It is optional for small providers
Truth: All HIPAA-covered entities must perform a risk analysis. The same applies to providers who want to receive Electronic Health Record (EHR) incentive payments.
Myth #2: Installing a certified EHR fulfills the Meaningful Use (MU) requirement
Truth: Performing security risk analysis is a must even if there is a certified EHR. The MU requirement covers all PHI you maintain, not just what is in the EHR.
Myth #3: The EHR vendor takes care of all privacy and security matters
Truth: The EHR vendor may provide information, support and training on the privacy and security matters of the product, but they are not responsible for making the product compliant with privacy/security regulations.
Myth #4: Security risk analysis needs to focus only on the EHR
Truth: You must analyze all electronic devices that handle PHI and not just the EHR.
Myth #5: Risk analysis needs to be conducted just once
Truth: To comply with the regulations, you must constantly ramp up your security posture. This includes conducting regular risk analysis.