Jill is the administrator for a 25-bed rural hospital in a remote part of Texas that receives patients from almost an hour away in every direction and serves as the counties only hospital. A discussion with Jill around cybersecurity practices provides insight into the various reasons why administrators may not be aware of the danger that lies just beyond their firewall. Surprised by the implications of her internal network password policies not meeting standards, Jill states “Our hospital is one of the most remote in the state, how and why would we be targeted by hackers?” She is not alone in thinking that her geographical location will diminish the odds that their facility will be vulnerable to a cyber-attack.
It is common for healthcare executives to report that securing their data is mainly focused around meeting compliance objectives so they can qualify for federal incentive programs. While participation in incentive programs is meant to increase meeting compliance objectives, they simply fall short in addressing the nuanced individual business practices that fall outside the scope of compliance measures. Compliance standards in and of themselves do not provide detailed guidance or a methodology to ensure protection of ePHI data.
As the number of compromised ePHI data continues to rise, healthcare providers are not waiting around to try and identify risks. 31,611,235 healthcare records were breached in the first 6 months of 2019, which is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). – According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, cites HIPAA Journal.
E-mail is a pervasive target for hackers to exploit in healthcare and the problem is predicted to get worse. A 2018 HIMMS and Mimecast survey revealed that 87% CIO’s and IT directors surveyed believed that e-mail poses the greatest venerability to exploitation by hackers. E-mail’s sent by nefarious sources can cleverly deceive end users by looking legitimate and can contain links with embedded malware, viruses, and ransomware and all it takes is 1 click for an organization to be compromised.
As business operations continue to grow more complex and the sheer volume of devices connected to the internet continues to rise, many healthcare leaders are waking up to a new reality. Over the last decade new risks to data are posing an even greater risks to the long-term survivability of healthcare entities and patients they care for.