Cyber-Security and Data Breaches: What Does it Mean for Your Center
September 5, 2019
by Nick Jaworski, Digital Community Builder of Circle Social, Inc.
This article is for educational purposes only and as technology changes and improves this information should be used only for awareness and does not guarantee cybersecurity.
The healthcare sector saw 15 million patient records compromised in 503 breaches in 2018. That's three times the amount seen in 2017, according to the Protenus Breach Barometer. In today's world, technology is a must. The issue is that we have far more technology than we know how to properly run. This can become a big issue in the medical field where data breaches can mean compromising patient information.
In hospitals, clinics, insurance companies, and even third-party billing agencies, you regularly hear about how they were compromised by new attacks from ransomware and phishing attacks.
This can be a very serious matter because, once this breach has occurred, you could be facing fines for HIPAA compliance. In fact, State Attorney Generals are now looking to crack down on these breaches by forming multi-state lawsuits to address negligence in implementing proper protocols to prevent cyber attacks.
What is a Cyber Attack or Data Breach?
A data breach occurs when personal information or protected data is accessed, obtained or disclosed in an unauthorized manner. In a cyber-attack, access is the main point of concern. Data breaches may include personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property.
Common exposures may include credit card numbers, social security numbers, past health histories, customer lists, or financial records. This includes manufacturing processes and software that is the intellectual property of a business.
Not all data breaches are leaked on purpose. The most common way a data breach occurs is through cyber attacks. In fact, criminal hacking was the leading cause of security breaches involving data loss at 48% with malware (a type of software used to extract information) being second at 30%. Data breaches within companies and businesses can occur for a number of reasons, including accidentally, but targeted attacks are typically enacted toward system vulnerabilities, weak passwords, and malware.
You need to be aware of the risks that your company may have that could cause data breaches and make sure that you are employing the right kind and the right level of security to protect not only yourself, but also your clients from what could be irrefutable harm.
What Do I Need to Do If My Data Was Compromised?
Data compromises can be very serious. If your company, healthcare center, or treatment center has been breached, there are steps that should be taken immediately.
Secure the Breach: This may seem obvious but, in the wake of a breach, there can be a lot of confusion and even panic. It is best to determine where you were breached, how you were breached, and how expansive the breach is.
Stop Additional Data Loss: Once you determine where the breach came from, you need to make efforts to stop additional loss. Take machines offline until they can be looked at by experts. If the hacker stole an employee's credentials, have everyone (or at least those involved) change their passwords, PINs, and/or other login information.
Remove Information That May Be Online: If the hacked information was posted to your website, you need to remove it immediately. Some search engines will cache information, so it is important that you contact them so personal information isn't archived. You will also need to do a search for your information on other sites and make sure that is removed as well.
Fix Any Vulnerabilities: Assess your service providers if they were involved. You may need to change the access that they have to your clients' information. Your network should also be set up in segments to prevent one breach from compromising other areas of your business. If you need to make changes, now would be the time to do so. You should also have a comprehensive communication plan to provide any affected party (clients, stakeholders, business partners, etc.) with the appropriate information.
Notify Appropriate Parties: You should notify law enforcement, other affected businesses, and affected clients/individuals. You also have to determine your legal requirements. Some states, the District of Columbia, and the Virgin Islands mandate reporting. Depending on what information was breached, there may be other laws and/or policies that have been broken and need to be addressed. Not notifying the appropriate authorities is where many HIPAA violations occur.
According to the FCC, if your breach involved electronic health information then you should:
"Check if you're covered by the Health Breach Notification Rule. If so, you must notify the FTC and in some cases, the media. Complying with the FTC's Health Breach Notification Rule explains who you must notify, and when."
What Do Violations Mean for My Center and Me?
Violations can range from notifications to the public to fines and/or lawsuits, or even time in prison. Government entities are well aware of the fact that data breaches are a fact of life now.
One of the biggest reasons that centers receive HIPAA violations doesn't have to do with an actual security breach but a failure to perform an organization-wide risk analysis. Without regular assessment, you don't know if your center has any risks for being compromised and, therefore, you cannot put any measures in place to protect valuable and personal information.
HIPAA compliance is about risk reduction to an appropriate or acceptable level. Many security breaches do not involve a HIPPA violation and are dismissed. As long as your company is doing its best to mitigate the risk of information breaches, you should be covered.
One of the biggest risks for your center is in reputation. Even though breaches happen, you should do your best to be transparent and honest with every client. They have already had their personal information exposed, you must not alienate them further by being dismissive or deceptive.
What Can I Do to Protect My Client's Information?
The number one thing that you can do to protect your client's information is to perform a regular risk analysis of your network. Identify if you have any areas that are at risk. If you find any, it is mandatory that the issue must be resolved. Not resolving issues that could put client information at risk is also a HIPAA violation and can lead to some hefty fines.
Training and education are also important. Your employees should learn when and where they should be logged in to company electronic devices. Establish written protocol and make sure that employees are securing their stations (putting away files and locking them up, logging out of computers, etc.) every night or when they are leaving their work stations.
You should also only retain the data that you absolutely need. Streamline everything as much as possible so there isn't an abundance of data scattered in different areas. Minimize the number of places that you store data and know what you are keeping and where it is at.
You should also be aware of how you are getting rid of data or devices that store data. Reformatting and deleting the memory isn't enough. You need software that is designed to permanently wipe the hard drive.
Lastly, stay up on your cyber-security. Security patches for your computers should always be updated regularly, in addition to making use of firewalls, anti-virus, and anti-spyware software. Also, review your software vendors' websites for any updates involving vulnerabilities and involving patches.
A national membership association that provides education and advocacy for those in the behavioral health and addiction treatment industries.
We are the leading and unifying voice of addiction-focused treatment programs.