Identity Theft Possible with 70% of Healthcare Breaches
According to a study conducted by the Annals of Internal Medicine, the majority of healthcare breaches involve sensitive information that can be used to commit identity theft. The report analyzed 1,461 healthcare breaches that occurred over the past decade and found that 71% of the breaches involved, “compromised sensitive demographic or financial information that could be exploited for identity or financial fraud.”
Furthermore a report conducted by Moody’s Investor Service stated, “Small hospitals, particularly critical access hospitals, that lack the resources for a dedicated cybersecurity expert will be more vulnerable. A lack of qualified talent will also remain an industry challenge and require additional investment, leaving less room for investment in other operational areas.”
Small Business Cybersecurity Prevent Healthcare Breaches
Many small businesses do not prioritize cybersecurity as they don’t think they will be the target of hackers. However, hackers see small businesses as easy targets, making them more likely to target a small business than a large corporation. As such, small business must implement cybersecurity policies to prevent healthcare breaches.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare entities of all sizes to implement safeguards to secure protected health information (PHI). Safeguards must include administrative, technical, and physical protections.
- Administrative: relates to the policies and procedures surrounding the use and disclosure of PHI. These must be customized to directly relate to business operations. Employees must be trained annually on an organization’s policies and procedures as well as HIPAA requirements.
- Technical: relates to the security measures that secure sensitive data. This may include encryption, firewalls, and data backup.
- Physical: relates to security measures of an organization’s physical site, such as a dental office. Patient files must be inaccessible to unauthorized individuals, as such paper records should be in a locked room or filing cabinet.
Additionally, the Department of Health and Human Services (HHS) recommends ten cybersecurity practices that healthcare entities should implement:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
HIPAA compliance and cybersecurity go hand-in-hand, however, both are difficult to navigate. To implement an effective HIPAA compliance program, that includes cybersecurity practices, it is recommended to consult an expert.