The Most Essential Cybersecurity Practice Healthcare Organizations Should Adopt Post-COVID Era
Medical facilities, physicians, nurses, pharmacies and other business associates working closely with medical professionals have to handle electronic protected health information (e-PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in the US. HIPAA Security Rule is designed to protect electronic patient information, and violation can result in financial penalties reaching up to $1.8M. Moreover, according to IBM’s Cost of Data Breach Report (2022) compliance failure is among top 3 factors that increase average total cost of data breach by $26k, which is why it is inevitable for healthcare organizations dealing with e-PHI to seek compliance with HIPAA Security Rule. Under HIPAA e-PHI comprises all PHI in electronic format such as the patient health record including past and current health histories, lab test results, as well as medical bills. In general, all health information that includes individual HIPAA identifiers is considered PHI. In order to comply with the HIPAA Security Rule, healthcare organizations are obliged to implement administrative, physical, and technical safeguards in their organizations to detect and safeguard the security of the information. These safeguards ensure the protection of e-PHI from unauthorized access, disclosure, and modification.
In order to protect e-PHI, the security of the database that stores the e-PHI is essential. Nowadays, electronic medical records are mostly stored in cloud databases and shared within and between different health organizations. For example, as of 2021, cloud computing was the number one technology deployed in healthcare organizations in the US, reaching 78% with up to 20% considering its deployment in the near future. (COVID-19 also had an impact on increase of cloud usage). The healthcare Software as a Service (SaaS) market is gaining momentum as well, with North America accounting for over 47% of the largest revenue share in the market in 2020. It’s not surprising that cloud usage is increasing given the industry’s reliance on information technology (IT) for patient care, disease modeling, vaccine development, and healthcare governance. As the list of HIPAA Security Rule complaint entities constitute healthcare apps and websites that deal with PHI as well the importance of cyber security becomes vital.
Despite the evident significance of a strong security system and proper PHI handling regulations, there are healthcare entities that neglect it, and confront cyber breaches and huge fines. The largest ever fine for HIPAA violations was paid by Anthem Inc., an American health insurance company, in 2018 when Office of Civil Rights (OCR) discovered potential violations of the HIPAA Security Rule during its investigation of 78.8M record data breach in 2015. Anthem Inc. paid $16M in settlement to resolve the case. Another data breach of 2016 involving almost 10.5M individuals led Premera Blue Cross, a not-for-profit health insurance provider, to settle potential violations of HIPAA Rules in 2020 by paying a $6.9M penalty. And, it was also agreed that another insurance company named Excellus Health Plan would pay $5M to resolve HIPAA violations identified as contributing to the breach of nearly 9.4M individuals’ PHI in 2015.
In addition, the healthcare industry was found to spend the highest amount of $10M on average during data breach 12th year in a row. Pharmaceutical took the third position with the average cost of data breach of $5M in 2022. Moreover, organizations with high level of compliance failure paid $2.3M more on average compared to those with low level of compliance failures.
In conclusion, healthcare organizations are vulnerable to data breaches and thus, it is crucial for them to comply with HIPAA regulations and protect PHI properly. So how can these organizations protect their PHI? Encryption is one of the recommended solutions. In fact, the HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device containing PHI is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)
Learn more about how to encrypt PHI such as patients’ name, birthday, address, social security number, health plan beneficiary number, etc here.