Healthcare Professionals are most vulnerable to a data breach. Why?
February 8, 2022
The health sector has long been a frequent and favoured target of attackers. And with the transition to virtual care, cybercrime against healthcare providers worldwide has exploded. Medical facilities of all kinds—hospitals, research agencies, independent practices, wellness centres, and more—have been disproportionately preyed upon as practitioners have worked nonstop to combat the pandemic, with ransomware infections and phishing campaigns surging in particular.
But why are Healthcare Professionals vulnerable? What are the risks? What do they mean for you and your patients? And above all, how can you keep your patients, their data, and your practice safe? Keep reading to learn more.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
What’s a privacy breach?
A “breach of security safeguards” is the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
Bear in mind: this definition includes unauthorized access that may not necessarily lead to disclosure. That means any instance of someone hacking into your systems and obtaining personal health information (PHI), like a ransomware or formjacking attack, would be considered a breach, even if the data isn’t leaked, released, or posted online anywhere.
Why are Healthcare Professionals vulnerable?
Given the value of private health data and society’s growing reliance on technology to provide care, the pandemic has only exacerbated a growing trend towards attacks on healthcare organizations. Here’s why:
Personal health information (PHI) is highly coveted by cybercriminals since it opens up opportunities for social engineering exploits, identity fraud schemes, fake insurance claims, and more. Even a single practice may have access to hundreds of names, birthdates, addresses, banking details, and more.
Although records have become increasingly digitized in recent years, smaller, independent practices generally have minimal budget to upgrade any outdated operational tech or antiquated software. Additionally, most healthcare practices have little in-house IT support and are often too overworked to regularly backup data, making them an attractive target.
When it comes to ransomware, cybercriminals usually go for healthcare organizations because they know providers will pay up to protect their patients. They also know that most Healthcare Professionals need immediate access to their data depending on the kind of care that they offer. In a hospital or a critical care facility, the loss of medical information for an extended period of time could have catastrophic repercussions for patient care.
Healthcare environments are hectic and often stressful. Even the best of clinicians might accidentally misenter information or miss a privacy protocol, especially in situations where speed and efficiency can make all the difference. The main culprits? Improper disposal of records and lost or stolen mobile devices, tablets, and laptops.
Millions of Healthcare Professionals have shifted to offer online services where possible over the last two years. And while virtual care is an acceptable and necessary substitute for in-person services, hackers can now gain entry to sensitive data through unsecured home Wi-Fi networks and unencrypted connections.
Human error also applies to patients; you might be secure on your end, but if you’re working virtually, it can be hard to help patients to adapt to new technologies and telehealth platforms. Mistakes are inevitable—and you might not be as protected as you think.
What are the effects of a breach on Healthcare Professionals?
In addition to being the most targeted industry, Healthcare Professionals also suffer the greatest damages following a privacy breach. According to IBM’s 2021 Cost of a Data Breach Report, healthcare has taken the top spot for breach costs for the eleventh year in a row; average breach costs are at $9.23 million USD per event, a 29.5% rise from $7.13 million in 2020.
Why are breaches so costly?
If a Healthcare Professional fails to safeguard, retain, or dispose of PHI under their custody—if they’re found negligent in the event of a breach—they could be liable for up to millions of dollars in fines under various privacy legislations.
On average, records involving personal information cost about $161 per loss to recover; healthcare records specifically tend to cost upwards of $400. That means if even 100 of your patients or clients are affected, you’ll be out a minimum of $40,000 in breach expenses already. Plus, breach cleanup usually includes fees for legal counsel and defence, data restoration, public relations assistance, credit monitoring, and more.
Healthcare breaches also tend to last the longest, with the average time between first detection and containment being 329 days. In comparison, the average lifecycle of a breach for non-healthcare organizations is 280 days. If you needed to shut down to conduct forensic investigations or attend legal hearings, could your practice comfortably close for that long without jeopardizing patient care or losing clients?
Diminished goodwill, bad press, and loss of trust may arguably do more long-term damage than remediation costs, especially since patients typically have higher standards and expectations for privacy from Healthcare Professionals.
How can Healthcare Professionals protect PHI?
As a Healthcare Professional, we know that you might not have the time, resources, or even the energy to consider any drastic changes to your existing security measures. But you should never compromise on patient safety—and protecting PHI is crucial to providing effective and ethical care, especially in our current global climate. Plus, it’s better to prepare now than to pay later with your profits, your practice, and above all, your patients’ trust.
With privacy breaches on the rise, it’s imperative for all healthcare organizations to take a more disciplined approach to privacy management to avoid major financial, legal, and reputational loss. Not sure where to begin? The tips below can help you get started.
1. Improve your digital hygiene.
Minimizing your risk of a breach minimizes your costs—including any regulatory fines levied by your federal or provincial Privacy Commissioner. Implement physical, administrative, and technical safeguards to protect records from unauthorized viewing, use, or disclosure. Basic defenses include:
- Use lockable filing cabinets and ID cards to control and limit access to areas where PHI is stored.
- Add extra layers of protection to all networks and devices, such as firewalls, antivirus software, and multi-factor authentication (MFA).
- Encrypt all digital records, including data-at-rest and data-in-transit, and routinely backup your information to a secure offline location.
- Practice good password etiquette.
- Keep systems up-to-date with the latest security patches.
- Regularly monitor your systems for suspicious activity.
- Ensure that all security mechanisms, policies, and practices are compliant with the relevant institutional and professional regulations in the jurisdiction where services are provided.
- Use virtual platforms that:
- Offer end-to-end encryption;
- Prohibit external access to private conversations; and
- Do not record or capture data without regulatory approval and your patient’s consent.
- Develop tailored incident response and business continuity plans in case of a breach.
For more guidance on cybersecurity measures, check out our helpful resources:
- How to Keep Employees Cyber-Safe While Working From Home
- How Can Healthcare Professionals Manage the Risks of Virtual Care?
- Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?
- Cyber Security & Privacy Breach Toolkit
- Sink or Swim: How Can Businesses Survive the Cybercrime Tsunami?
2. Consult an expert.
The nature of your safeguards will vary based on your organizational context, including the sensitivity of the information and the services provided. After all, a medical laboratory will require a different security strategy than a hospital, a pharmacy, or a research firm.
Be sure to seek specialized legal counsel for advice specific to your organization’s needs, operations, and budget. A privacy or cybersecurity expert will help you navigate the changes, adhere to privacy laws, and be ready for any future amendments.
3. Build a cyber-aware workforce.
Remember, most healthcare breaches are caused by human error, which can undermine even the strongest of security efforts. Be upfront with your staff about your risks and regularly review privacy policies. Provide regular security awareness training on:
- The appropriate collection, use, and disclosure procedures for PHI;
- How to use safely software and healthcare platforms;
- What cyber threats your organization faces and how to identify them;
- How to spot phishing scams and report suspected emails to IT; and
- How to recognize and report signs of a data breach.
Additionally, all staff should be aware that any snooping or unauthorized viewing on their part can result in disciplinary action, reports to their regulatory College, complaints to the appropriate Privacy Commissioner, and criminal prosecutions for serious offences.
4. Reach out to your broker.
A licensed broker like PROLINK can help you plan and protect. We can share what steps others in the healthcare industry are taking and advise you based on your operations and unique needs to help you become resilient in the face of attack. For maximum protection, we can also align you with a specialized Data Security and Privacy Breach Insurance solution to help you offset some of the financial loss from legal fees, damages, and associated expenses.
Keep in mind: even if you do everything in your power to safeguard PHI, a third-party could still infiltrate your systems through illegal means. And if your organization suffers a breach, your general liability policies won’t cover you—they’re not specifically designed to address privacy risk. But standalone coverage will respond quickly and effectively whether you’re dealing with a major cyberattack, a lost briefcase, or a snooping employee.
Plus, a dedicated policy help you access:
- Funds for legal expenses and third-party damages;
- An IT forensic investigations team to help you determine the size and scope of the breach;
- A breach coach to advise you on regulatory compliance, guide you through the legal process of navigating a breach under attorney-client privilege, and tell you what to report, how, and when;
- Funds to set up credit monitoring and client notification for affected parties; and,
- A team of PR consultants to help you manage reputational harm.
To learn about your exposures—and how you can protect yourself—connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.