There seems to be a new scientific study published every day—like this one that alleges that eating cheese every day might actually be healthy. Understandably, many of these studies fly under the radar — but two recently published reports regarding cybersecurity and health care should not. These two reports show that the healthcare industry in particular is continuing to struggle with cybersecurity issues. Understanding the vulnerabilities revealed by these studies is important to healthcare organizations attempting to reduce their cybersecurity risks and legal liabilities.
The Protected Health Information Data Breach Report, published by Verizon, reveals that a majority of data beach incidents within the healthcare industry involve insiders. This may come as a surprise to some who underestimate the potential risks from insider threats. The report suggests that almost half of all internal threats are derived from intentional misuse of protected health information. Among these cases of intentional misuse, nearly half were motivated by financial incentives—with "fun" and curiosity at the contents of records being the next most common motivation.
Of course, not all cases of internal breach were found to be intentional. In fact, a majority of cases of internal breach were unintentional—with mis-delivery and disposal loss as the two most frequent reasons cited. The report also suggests strategies for avoiding these sorts of breaches—such as full disk encryption, routine monitoring of record access, and building resiliency to combat ransomware attacks.
In a second report, generated by KPMG LLP following a survey of healthcare and life sciences industry leaders, over half of respondents admitted being unprepared for a cybersecurity incident in their organization. These respondents often reported that their organizations did not have any written operating procedures to guide response to a cyberattack and they were unaware of what standards existed for breach response.
Taken together, the reports demonstrate that there are persistent issues involved in securing healthcare data, and many organizations are underprepared in the event of a breach. Not only are patients at risk but these healthcare organizations are at risk if proper preventative measures and response actions are not taken.
Fortunately, there are relatively straightforward methods for reducing risk—such as updating cybersecurity policies for compliance and preparing a full incident response plan in the case of a breach, provided an organization devotes itself to implemening those policies.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
