How healthcare organizations can avoid and/or respond to a cyber breach

The philosophy of preparing for a breach if it happens is outdated – and risky. Instead, healthcare executives need to prepare their organizations for when they’ll be attacked by cybercriminals.

Assessing your organization’s controls through a risk assessment, SOC2 report or HITRUST certification, as well as having a plan to mitigate risk and deal with an attack's aftermath, all should be considered top priorities.

According to the Ponemon Institute (considered the preeminent research center dedicated to privacy, data protection and information security policy), in a 2022 survey (cited by NBC News) of 100 healthcare facilities found that two-thirds of respondents who experienced ransomware attacks said the attacks not only disrupted patient care but also increased the length of patients’ stays.

Short of a HITRUST assessment (the gold standard) to mitigate inevitable cyberattacks, we’ve developed the following 13 tactics healthcare organizations can use to avoid and/or respond to a breach:

1. Annual security risk assessment — HIPAA recommends providers conduct an annual security risk analysis for vulnerability detection and policy review.
2. Limit access to health records — Assure that you have secure and effective access permissions, depending on user position, so that only those healthcare specialists who work with medical records can access them.
3. Consistent security awareness training — Employees are potentially your greatest weakness and greatest asset; the single best security investment is consistent security awareness training for your workforce.
4. Document your incident response plan — Creating and implementing a response plan is essential in helping your practice avoid escalations when a breach or incident occurs. This plan will give you clear guidelines for the necessary decisions and follow-up measures.
5. Create subnetworks — Cyber experts recommend dividing your wireless network into separate subnetworks for different user groups, such as patients, visitors, personnel and medical devices.
6. Restrict the use of personal devices — Allowing personal devices to be used for work has additional risks, especially in healthcare. If your employees are allowed to bring and use their own phones or other electronic devices for work, create a clear, strict policy that outlines which devices they can use on and outside the network and how to connect them to the network.
7. Update your software regularly — Frequent software updates can correct any of the system’s bugs and lower the risk of cyberattacks.
8. Monitor your vendors — When choosing third-party vendors that will need access to patient data, verify that they comply with HIPAA and other applicable laws. Also, have an attorney review your SLAs to ensure that your organization is the sole owner of the data and you can instantly revoke access when the contract is terminated.
9. Avoid using outdated IT infrastructure — Older equipment is more likely to be breached. Consider replacing outdated devices to reduce the risk of data breaches.
10. Encrypt data — According to HIPAA rules, if encrypted data is compromised, it’s not considered a breach. Encryption technologies can significantly help mitigate the consequences of cyberattacks. Encrypting your data now can potentially save your practice from steep government penalties.
11. Set and enforce retention schedules — A retention schedule is critical to ensure that electronic health records containing sensitive information stay (or don’t stay) in the digital environment longer than required. HIPAA requires six years, but some state laws have a 10-year statute of limitations. Specifically define what to keep, for how long and where it’s to be kept.
12. Destroy sensitive information that doesn’t need to be retained — Some confidential information can be securely destroyed. Consider hiring a reputable document destruction company to assure sensitive information can’t be accessed.
13. Invest more in your security — The mantra shouldn’t be, investing in security if we get attacked. Instead, invest in security in preparation for when you get attacked. It’s critical to not only have advanced network security tools, but also strong IT and legal teams.

Again, the best preventive measures are a HITRUST assessment for your organization and assuring that your vendors are also HITRUST certified. However, implementing these 13 tactics will significantly mitigate the risk of a cyberattack.

Contact our Mazars healthcare team today to discuss becoming HITRUST certified.

The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.