In healthcare, cybersecurity is more than just technical procedures and controls to safeguard computer systems and networks. Healthcare cybersecurity services are also an important component of an organization’s patient safety initiatives.
A single health record contains a host of sensitive data, including a patient’s protected health information (PHI), financial information, personally identifiable information (PII), and even intellectual property (IP) pertaining to medical research. This makes healthcare organizations a key target of cyberattacks, and stolen health records can be worth 10 times more than other data on the dark web.
Cyberattacks compromise patient safety, care delivery, and the organization’s financial resources. In this article, we will discuss cybersecurity concerns for healthcare organizations, explain the various regulations that impact sensitive information, and how cybersecurity services are an integral part of regulatory compliance.
Top cybersecurity concerns for healthcare organizations
While no company wants to fall victim to a data breach or ransomware attack, healthcare organizations also must consider the impact of a cyberattack on their patients and the care they receive.
Cybercriminals acquire and use patient data to file fake medical claims, purchase prescriptions, buy medical equipment, and commit other types of medical identity theft. In some instances, cybercriminals have even used an individual’s personal health history (such as surgeries, illnesses, etc.) to target them directly with scams and frauds.
What’s more, ransomware attacks can directly threaten patient safety when they disrupt operations and cause downtime. For example, the 2017 WannaCry ransomware attack led to the cancellation of more than 19,000 appointments in the United Kingdom as affected organizations were forced to close and divert patients to unaffected, safer options.
According to a Ponemon Institute report, healthcare ransomware attacks have the following impacts on patient health:
- Increased patient mortality rates.
- Delays in procedures and testing that caused poor clinical outcomes.
- Increased patient transfers and diversions.
- More complications from medical procedures.
In 2021, a lawsuit filed against an Alabama medical center marked the first public allegation connecting a ransomware attack to the death of a patient. Springhill Medical Center was hit with a ransomware attack in 2019 that disabled its computers for more than a week, which compromised multiple systems including fetal tracing information.
The lawsuit alleges that without such monitoring systems, the healthcare center was unable to properly care for the plaintiff and her child during labor and delivery. The infant suffered brain damage, spent months in neonatal intensive care, and ultimately passed away.
Due to the potential impact on patient safety, it’s no wonder that healthcare organizations are more likely than other business entities to pay the ransom demand following a ransomware attack. In 2021, 61% of healthcare organizations paid the ransom, compared to the worldwide average of 46% across all industry sectors.
Laws and regulations for protecting sensitive information in healthcare
When it comes to protecting sensitive information in healthcare, organizations are subject to a variety of laws and compliance requirements. One of the most important regulatory provisions in the U.S. is the Health Insurance Portability and Accountability Act (HIPAA). This federal privacy law applies to covered entities, which include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
What leaders at healthcare organizations may not realize, however, is that regulatory requirements encompass more than just HIPAA. For example, health insurance providers are both HIPAA-covered entities and subject to Gramm-Leach-Bliley Act (GLBA) policies. The GLBA applies to many types of financial institutions, including insurance companies, and requires these institutions to protect the security and confidentiality of customer data.
In addition to PHI, healthcare entities also typically handle financial data, which makes them subject to the Payment Card Industry Data Security Standard (PCI DSS). PCI standards prevent fraud and misuse of credit card data and apply to any company that transmits, processes, or stores cardholder data.
Regulations such as HIPAA, GLBA, PCI DSS and more are all aimed at protecting sensitive data, but the methods of compliance vary for each. This is why it’s critically important for healthcare industry IT departments and leadership to coordinate data security across the entire organization and prevent unauthorized access to PHI and other sensitive data.
Failure to properly store and manage healthcare data can have professional, legal, and financial consequences:
Penalties for HIPAA violations can be between $100 and $50,000 per compliance failure, which adds up quickly in the event a healthcare entity is cited for multiple violations.
GLBA non-compliance can cost companies as much as $100,000 per violation. Individuals can also be levied with fines of up to $10,000 for each violation and could serve a five-year prison sentence.
Compliance violations for PCI DSS can be from $5,000–10,000 in monthly fines. Each payment card company (such as MasterCard, Visa, etc.) can fine the non-compliant organization, adding up to monthly fines upward of $500,000 in total.
Cybersecurity services for the healthcare industry
As cyberattacks increase in their frequency and complexity, organizations in the healthcare industry must prioritize cybersecurity services to protect their patients and data. Many healthcare providers are particularly vulnerable to data breaches due to their reliance on legacy systems. These systems may no longer receive security patches or updates and accordingly, cannot be brought up to meet current cybersecurity standards.
The majority of medical devices (83% according to a 2020 HIPAA Journal study) run on outdated legacy systems, increasing the risk of data loss and compromise. This makes legacy software, operating systems, and associated devices easy points of access for cybercriminals looking to infiltrate a healthcare network. According to the Cybersecurity and Infrastructure Security Agency (CISA), 58% of healthcare organizations rely on unsupported legacy software and operating systems, which leaves critical systems vulnerable to theft and exploitation.
While outdated operating systems are a security concern, limited financial and staffing resources make it cost-prohibitive to replace them. The healthcare sector is experiencing shortages in both physicians and cybersecurity staff, which could leave existing teams stretched too thin to properly manage data vulnerabilities.
However, there are other cybersecurity services that healthcare organizations can use to protect critical data and comply with applicable regulations:
- Data backups should be maintained in secure environments, such as HIPAA-compliant cloud storage. These storage solutions offer additional features and services to enhance data security, such as strong encryption protocols, long-term data retention policies, and a signed Business Associate Agreement (BAA) that defines the responsibilities of both the healthcare organization and the cloud service provider.
- File-level encryption protects data in transit as it travels over a network and when it is at rest or stored in a device, database, or other medium. This protects data files against unauthorized access because the contents are unreadable without the correct decryption key. In the event of a data breach, encryption can help healthcare organizations avoid costly penalties for HIPAA violations.
- An access control system ensures that only authenticated users can access systems and devices that contain sensitive information. For example, permission-based user roles grant employee access on the basis of their job role and responsibilities. These user roles also make it easy to monitor system activity and respond quickly to suspicious or unsafe user actions.
How WinZip Enterprise helps keep healthcare organizations compliant
WinZip® Enterprise offers a complete collection of healthcare cybersecurity services to protect sensitive data. It uses AES encryption, which is the recommended encryption protocol for HIPAA encryption requirements. WinZip Enterprise also integrates with a variety of cloud storage and instant messaging platforms, keeping data secure in transit between user devices and storage.
WinZip Enterprise is highly customizable, which empowers IT teams to set and enforce security, sharing, and backup policies. From access controls to system monitoring and more, WinZip Enterprise helps healthcare organizations comply with relevant data security standards, including HIPAA, GLBA, and PCI-DSS.
Discover how WinZip Enterprise can help keep your healthcare organization compliant.