Boston, MA
Sheraton Boston Hotel
Sep. 11-13, 2017

Eight Ways Healthcare Organizations Can Reduce Cyber Risk

By Barry S. Herrin, JD, CHPS, FAHIMA, FACHE

Barry S. Herrin, JD, CHPS, FAHIMA, FACHE, founded Herrin Health Law, P.C., a law practice dedicated to the needs of healthcare providers. Herrin advises on a variety of regulatory and operational issues, including hospital and healthcare operations and compliance, medical information privacy and confidentiality, managed care contracting and hospital-physician collaboration. He shared his advice on how healthcare organizations can limit cybersecurity risk. He will be sharing his experience and insights during the session, “'Holistic' Security Framework Supports Business and Clinicial Goals” at the Healthcare Security Forum on Sept. 11.

Get involved. Join us for our #HITsecurity Twitter chat on Aug. 24, 2 p.m. Central Time to discuss your cybersecurity insights and connect with other industry experts.

Add Chat to Calendar

According to presentations from the Federal Bureau of Investigation and the U.S. Secret Service, as of 2016:

  • 70% of the U.S. population has been affected by at least one data breach.
  • The total cost of data breaches and data theft through October of 2016 exceeds the gross domestic product of Sweden—$450 billion and rising.
  • 99.9% of data breaches are due to technology over one year old – patches are not applied and unsupported tech is still in use.
  • 60% of all data losses occur within five minutes of the systems breach.
  • 80% of email and SMS messages are spam; 56% of Internet-based email traffic is sent by spambots.

In the healthcare industry specifically, the story is just as grim.

  • One in three Americans were affected by healthcare breaches in 2015. That’s more than 113 million individuals.
  • The average lost or stolen record costs a healthcare organization $363 per record on average, per a Ponemon Institute report.
  • Hollywood Presbyterian’s information systems were held hostage in February 2016 for $3.6 million in Bitcoin.

Reducing cyber-risk for healthcare organizations can (and should) come from many different angles. Here are eight ways to jumpstart your cyber protection:

  1. Limit remote connectivity. The fewer access points to your healthcare data network, the better. Restrict your bring-your-own-device (BYOD) policy to include only organization-administered devices. This way, you can control the data on those devices, including malware/anti-virus protection and remote data wiping. Also, be sure to police off-the-shelf device connections to networks to make sure there aren’t any suspicious devices looking for “back-door” entry.
  2. Block tracking cookies. Try to keep online traffic as invisible as possible. By blocking tracking cookies, third parties will be unable to follow online traffic. It can also prevent giving someone easy access into a secure account via automatically populated usernames and passwords.
  3. Limit employee access to social media and external email sites. Like entry into your data network, the fewer the number of people with access to social media and email sites equals fewer people who have access to potentially distribute or access sensitive information.
  4. Develop high standards for vendors. Almost every healthcare organization will work with a third-party technology firm of some kind, such as an e-signature provider or a billing software provider. It’s important to make certain that their security efforts are up to par with, and either meet or exceed your expectations. Perform a thorough audit on the vendor and ask detailed questions about the technology’s security before you sign a business associate agreement.
  5. Train your staff. Cybersecurity risk is lowest when everyone in an organization takes part in cyber protection. Safety in the workplace is cultural: cybersecurity should be also.
  6. Audit. Regularly investigate your organization’s security effectiveness and spot any weaknesses. It may also be wise to have a third party take an objective look at your security systems and processes. At a minimum, security audits should be done annually. Failure to have HIPAA-compliant security analyses performed is the most often sanctioned violation by the DHHS Office for Civil Rights, with penalties starting in the $100,000 range.
  7. Cooperate with law enforcement if a breach or attack occurs. If an attack occurs, work with law enforcement officials as openly as possible to detect and address the source of the problem. If known bad actors are responsible for your breach, making that statement in your notice to the HHS Office of Civil Rights can help reduce or eliminate fines and penalties. After all, the police don’t arrest the homeowner for having a bad lock when a determined burglar breaks in.
  8. Consider cyber insurance. Even though your organization can certainly lower its risk of a cyber-attack, cyber insurance may be worth the investment. Be certain any insurance you purchase covers actions by rogue employees.

Find out how other industry leaders are creating proactive cybersecurity cultures at the Healthcare Security Forum in September.

View the Agenda

Get Updates

Sign up to get the latest information on upcoming events.