Cybercrime costs the U.S. economy billions of dollars each year—and healthcare organizations are the most frequently attacked form of business.1 In fact, in 2017, more than half of all cyberattacks were directed against the healthcare sector.2 Cybercriminals target healthcare for two main reasons: Healthcare organizations fail to upgrade their cybersecurity as quickly as other businesses, and criminals find personal patient information particularly valuable to exploit.
Learn strategies to:
The theft of unencrypted electronic devices or physical records is the most common method of breach, accounting for 29 percent of breaches across all industries in the United States.2 Also common are hacking (23 percent) and public distribution of personal records (20 percent).
Cybersecurity is no longer just an IT issue—every employee needs to do their part. 95 percent of successful breaches occur because an employee clicks a bad link.
Ransomware attacks, where a business or individual’s computer system is held hostage by cybercriminals, are also on the rise in hospitals and medical practices. Preparation and prevention is key for these type of attacks—if not prepared, a hospital system will only have two options: pay or lose patient information.
The repercussions of security breaches can be daunting. A business that suffers a breach of PHI must report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This is the federal body with the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines. To date, the OCR has levied over $78 million in fines3—more than tripling the $25 million in fines it had levied as of 2014.4 In 2017, U.S. healthcare data breaches cost companies an average of $380 per record—the highest of any industry.5
A healthcare organization’s brand and reputation are also at stake. The OCR maintains a searchable database (informally known as a “wall of shame”) that publicly lists all entities that were fined for breaches that meet the 500-record requirement.6
Beyond the financial and security risks, cyberattacks can also compromise patient safety and quality of care.
Learn how to reduce the chances of a data breach or cyberattack at your practice.
Additional Cybersecurity Resources
American Hospital Association
National Institute of Standards
Security Risk Assessment
U.S. Department of Health and Human Services
Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework.
DHHS Office for Civil Rights
HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.