As we enter a new year, it’s a good time to review the status of data breaches, HIPAA hazards, and the state of security risk with some statistics:
- The average cost of a data breach in the United States is $9.05 million. The average cost is higher in organizations with greater compliance failures.
- Only 25% of employees are “very confident” they can identify a social engineering attack.
- 76% of healthcare employees have received security awareness training. That means 24% have not.
- 24% of employees believe “clicking on a suspicious link or attachment in an email represents little or no risk.”
- Only 31% of employees think “allowing family members of friends to use work devices for personal activities outside of work” is risky.
- In the past 12 months, 94% of organizations have had an insider data breach. The most common cause is human error.
- As many as 90% of data breaches are phishing attacks
It is always eye-opening to review the latest HIPAA stats – because they get colder and harder every year. Especially in healthcare.
What you can do
Do you know your HIPAA stats?
One way to find out how your organization compares is to conduct an internal survey about employees’ knowledge of data breaches and appropriate/inappropriate computer practices. Surveys can be a great starting point to build an effective, tailored training program to improve employee performance and reduce human error. Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.
The human factor of a ransomware attack makes it extremely difficult to prevent. If a covered entity or business associate suffers a ransomware attack, it is presumed that a HIPAA breach has occurred. Are you prepared? The prevalence of ransomware attacks in healthcare makes it crucial to PLAN for a ransomware attack (rather than hoping one does not occur).
Here are some steps you can take:
- Obtain cyber insurance if you have not already done so.
- Conduct (and update!) your HIPAA Security Risk Analysis to reduce vulnerabilities.
- Test your backup. How long would it take you to get back online if ransomware disrupted your system?
- Verify you have a strong network monitoring plan. Phishing emails are examples of cybersecurity threats that easily bypass typical firewall and endpoint protection (anti-virus applications). Managed detection and response (MDR) identifies atypical network activity that may arise from a successful phishing attack and provides 24/7 outsourced security monitoring.
- Maintain a network audit log. Audit logs are a HIPAA requirement. An audit log provides a detailed record of network activity. It is virtually impossible for a threat actor to bypass audit logs. An audit log does not stop a threat actor, but will record their activity. A log management system will collect information from various network sources such as firewalls, antivirus applications, remote desktop and VPN, routers, workstations, mail servers, web servers, data servers and more. If a cybersecurity incident is suspected, the forensic investigation team (including legal) will ask for an audit log. The audit log will confirm an attack as well as provide detailed information on the depth of network intrusion, which is necessary to conduct a HIPAA breach investigation.
- Provide HIPAA stats to everyone at the Compliance Committee and Board levels. These indvidiuals should also know how the organization guards against ransomware attacks. Knowledge of the risks and organizational response provides valuable information for your leaders to make informed organizational strategic decisions.