The largest healthcare security breaches lately have been at payer organizations (e.g., Anthem). The recently announced Beacon Health System breach of 220,000 patient records is evidence that providers are equally targeted. In fact, providers are targeted far more often as cyber criminals go after providers large and small in order to gain access to personally identifiable information and personal healthcare information. One common characteristic of recent breaches is the use of "phishing" emails including a malware attachment or a link to a site to collect login credentials.
For instance, at Beacon Health System, the hacker gained access to email accounts after employees were fooled into disclosing their login credentials resulting in access to, among other things, patient names, dates of birth, social security numbers, diagnosis and related treatment information.
The cost of a potential breach is steadily increasing. The Ponemon Institute's 2015 Cost of Data Breach Study reports the average cost of a data breach in the United States is now $217 per record and costs for healthcare organizations are reaching as high as $363 per record. The good news is there are some methods to reduce the likelihood your organization will fall victim to one of these attacks:
- Educate your users about phishing attacks and malware especially the common characteristics (e.g., "off" fonts or colors, misspellings, links to unrelated sites, or requests to "validate credentials"), encourage them to report phishing emails and especially report when they believe they “may have clicked on something”.
- Install, configure, and continuously monitor anti-spam, anti-phishing and anti-malware solutions;
- Implement layers of security in your environment to identify, protect, detect, respond and recover from attacks that come in through email, web sites, files, or the internet; and
- Consider implementing an anomaly detection solution capable of detecting logins and data accesses outside of normal operating parameters.
If you have questions or need assistance, please feel free to contact your RubinBrown advisor or any of our Cyber Security Risk Services professionals.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.
All Healthcare News Healthcare Overview