In 2020 over 28 million medical records were breached. Pair that number with 2020 having the largest scale pandemic the world has seen in close to one hundred years, it is fair to say that medical companies may have been a little distracted during this time and were not putting the full focus on their cyber security. Though this is not the first-time medical facilities have been compromised, each year breaches increase, and personal medical files of millions of people are jeopardized.
The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.
Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).
- Journal, H. (2021, March 3). 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020. HIPAA Journal. https://www.hipaajournal.com/2020-healthcare-data-breach-report-us/
Having an airtight cyber security plan that is also Hipaa compliant, several steps must be taken to make sure that the medical data in your facility is properly protected. Over the next couple of blogs, we will be focusing on how to secure medical data in your facility.
A managed service provider is a company that provides a computing platform for businesses and organizations to manage their IT infrastructure. MSP’s will manage firewalls, servers, routers on a subscription basis. Depending on your company’s needs your pricing may vary. Each company will have a unique set-up for their business. However, hiring an MSP is becoming more vital for manufacturing businesses of all shapes and sizes as we live in the ever-evolving world of hacker’s, ransomware, and data attacks. Here is how an MSP can bring better security to your medical facility.
When building a cyber security plan, you will start with bringing a company in to help these steps go smoother. Once you have established the company you are partnering with you will begin to focus on identifying anything and everything that information moves through, throughout your facility. Here are just a few things you will be looking for.
- Physical devices will need to be inventoried and organized. This is taking a detailed inventory of every device, service or software within the facility and making sure it is up to date, or not already corrupted by ransomware or viruses.
- All external information within the systems must be cataloged. This is documents, medical records, financial records, insurance records etc. Anything that has personal identifying information of anyone that comes through the facility.
- Resources and hardware must be prioritized based on importance and business value. Updating hardware on computers and other devices or supplying newer safer tools for the security and safety of shared information.
- Software platforms within the facility will be inventoried and security measures reinforced.
- Your facility’s determination of risk evaluation. Which is evaluating all access points and assuring they are secure, but also actively checking to be sure that these back doors are being tested to assure security. This is where the help of an outside company would come into play to help keep everything secure.
- Vulnerability of information shared or received through forums and other sources. Such as email, fax etc. There is always the possibility your facility may be receiving information from another medical source that is not secure, which means files may come with viruses attached to them and corrupting your systems. You want to assure us that all documents coming in or going out are secured and uncorrupted.
- All threats that have taken place whether internally or externally must be identified kept on record to ensure future security measures stay in place.
This is just a few of the internal assessments you will have to make within your facility to assure that your facility is staying not just Hipaa compliant but to ensure your facility’s integrity.
However now that we have identified risks within the facility, our next step is to take strong protection measures.
Protecting your servers, software, computers, and other important devices that transmit vital patient data you will have several areas to focus your attention on to secure your systems. Here are a few examples.
- Priority Information
Certain information will go through specific hands and transitions while it’s particularly important that it will not pass-through others who are not qualified or designated to handle them. Creating a protocol for priority and sensitive information ensures that only the correct people see and handle those documents. Training your staff to know the protocols that sensitive information goes through is imperative to the safety and security of those documents.
- Upper Management Knowledge
Ensuring that the highest level of executives within the facility know the protocols and security measures that need to be implemented into the facility is vital to success. Upper management needs to educate themselves on the processes of security within the facility and deliver clear communication of security protocols through each level of the facility.
- Training Staff.
The most crucial step of all is training all your staff in security measures and standards. Safety at its base level must be prioritized to ensure quality assurance and understanding of security expectations. Taking the time to fully educate all current and incoming staff members of important non-negotiable security standards is the biggest step for success.
Physical and virtual accesses must be proactively managed and frequently assessed for breaches.
Credentials and special accesses must be properly designated at every security level. Assuring that all credentials are reserved for the correct individuals and accesses is not commonly shared among a group of staff. Everyone should have separate and secure credentials and access to specific information based on their authorized level.
- Remote Access.
Remote access should be monitored and kept at a minimum
- Employee Security Measures
Building a culture within your staff to bring security of information as a top priority. Ensuring that all employees are using two factor authentication (2fa), a password keeper and being wary of phishing emails, creates tighter security around patients’ information.
Astoria is a high-level MSP; our goal is to build a plan that helps you be successful. Looking at your medical facility as a whole and narrowing our attention to the details to assure the most vulnerable parts of your system is now the strongest.
Contact us today at 330.680.6002 or on our website www.trustastoria.com.