When it comes to records, what are some of the most personal and sensitive records associated with your name that could be detrimental if they were exposed in a data breach? You may be thinking your IRS record, which includes your filing history, or you may be thinking of your checking and savings account information at your financial institution that you bank with. However, I personally think that the most sensitive data that is associated with your name are your medical records. Your medical records includes not just your medical conditions, allergies, and past surgeries, but it includes your social security number, date of birth, insurance information, and so much more. All of that combined can equal identity theft when your medical records are sold on the black market.
HIPAA Journal shows that 37.47% more records were breached in 2019 than 2018, The numbers climbed from 13,947,909 records in 2018 to 41,335,889 records in 2019. Furthermore, 155 million Americans have been affected by 1,500 data breaches in the past 6 years. In this past year, the number of victims has tripled.
The average cost for each record breached in all industries has an average of $158 per record, according to IBM. However, the average cost for breached records in the healthcare industry is $363 – this is the highest out of all industries!
The leader of the Brookings Institution study, Niam Yaraghi, interviewed 22 IT professionals in the healthcare industry. They discussed lessons that they have learned from the outcomes of this study. Yaraghi concluded that these are the following reasons why the healthcare industry is vulnerable to data breaches than other industries:
- Health care data are richer and more valuable for hackers
- Too many people have access to medical data
- Medical data is stored in large volumes and for a long time
- The healthcare industry embraced information technology too late and too fast
- The healthcare industry did not have strong economic incentives to prevent privacy breaches
Furthermore, Yaraghi made the following policy recommendations so that healthcare industries are not as vulnerable to these detrimental breaches:
- Health care organizations should prioritize patient privacy and use the available resources to protect it
- The Office of Civil Rights (OCR) should better communicate the details of its audits
- Health care organizations should better communicate with each other
- OCR should establish a universal HIPAA certification system
- The health care sector should embrace cyber insurance
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. It consists of Title I and Title II. Title I describes health care access, portability, and renewability. Title II describes the measures for administration to protect from fraud and abuse. It seems that with the rise in data breaches for the healthcare industry, Title II, is where IT professionals need to spend most of their time to revamp their network security. To learn more about the existing HIPPA regulations regarding technical safeguards, click here.
Although the Technical Safeguards section does not explicitly state what actions need to be taken to ensure a secure network, it provides these guidelines for the audit:
- Access Control
- Audit Controls
- Person or Entity Authentication
- Transmission Security
It is the job of the IT Administrator, or a person in a similar position, to interpret these guidelines and create a secure network environment for the employees and patients who have records on their network. “Person or Entity Authentication” refers to the username and password that an employee enters when accessing the company network. Employee usernames are often in a specific format such as Mark Simpson = MSimpson as a username. However, passwords must be complex and secure so that hackers are not able to breach their network. A recent study shows that in data breaches, 63% of all data breaches were caused due to weak, default, or stolen passwords. That’s over half!
With the evidence provided in this post, this should be enough motivation for IT professionals, not just in the healthcare industry, but in all industries to increase their network security. Weak passwords are the #1 reason why healthcare organizations are being hacked. Are you in the healthcare industry and do you have a software in place to prevent weak passwords like Password1 and Summer2015? If you’re not on the list below, then that’s a NO! Windows Password Complexity allows both of these passwords.
Numerous healthcare organizations have already adopted the nFront Password Filter to prevent weak and easily hacked passwords on their network, it’s time for you to as well!
Here are a few of our customers that are in the healthcare industry who currently use our software: