CSI Cyber-Security for Health Care Providers

What’s Happening with Health Care and Cyber-Security?

Health Care institutions are increasingly becoming targets for cyber criminals interested in stealing Protected Health Information (PHI). According to the Ponemon Institute Report (1), 94% of health care institutions have been through a cyber-attack. With the government push for Electronic Health Records, PHI has become a more attractive and easier to access target. PHI records sell on the black market for between $20 to $500 per record, according to a white paper by Absolute Software (2).  Most of this information is then used to perpetrate fraud schemes on reimbursement programs to the tune of millions of dollars lost.  A 2014 report from The SANS Institute (3) indicated that 50,000 security events happened to health providers of all types and all sizes between September 2012 and October 2013, and many remained unaware that they had been hacked until SANS uncovered irrefutable evidence of cyber incursions.

What Happens to Health Care Providers Whose Security Is Breached?

Data breaches for health care organizations have been very costly, not only in terms of data loss and reputation impact, but in terms of fines/penalties from the FTC, lawsuits and reduction in business (2).

A few examples:

  • Minnesota AG HIPAA-HITECH  settlement with the state’s attorney general: $2.5million, plus a $14 million dollar class action settlement, plus an estimated $22-25 million in lost business
  • WellPoint in Texas agreed to a $1.7 million settlement with the Office of Civil Rights for privacy violations related to data lost through a stolen, unencrypted portable
  • State of Alaska paid almost $1.7 million in fines for Health Care Data compliance/security violations in 2012

This type of financial impact can put a health care provider into the red for years, or even completely out of business.

How Can CSI Help You Protect Yourself?

CSI can help you keep your data protected and help you stay in compliance through a Security Risk Assessment of your processes, systems and devices.

  • The most frequent point of entry was lost/stolen/unencrypted portables and mobile devices used by Health Care Employees for remote work. CSI can help you set up proper protection on a variety of mobile devices used by your employees, so even if the device is lost or stolen, your data remains protected
  • CSI can run an External Penetration Report, showing points of vulnerability in your computer network, and can help plug those gaps for you
  • CSI can review your processes and protocols to firm up guidelines that could lead to lost/stolen data
  • Our knowledge of health care and IT can help you fix gaps you may not even have thought of. For example, data breaches have been known to occur through radiology and imaging software, video conferencing software, online health monitoring devices, social media, VPN (remote access to your network) applications, even Voice Over IP Phone service.

CSI can help you pinpoint your areas of vulnerability and help you develop a plan that keeps your data and your organization safe and secure.

Sources:

  1. http://www.ponemon.org/blog/2014-a-year-of-mega-breaches-1, accessed February 18, 2015
  2. http://www.absolute.com/en/resources/whitepapers/cost-of-a-healthcare-data-breach, accessed February 18, 2015
  3. http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf, accessed February 18, 2015