Both patients and healthcare providers are feeling the impact of the coronavirus. As this time spreads unprecedented uncertainty throughout the nation, patients are relying on providers more than ever.
While preventing the spread of the virus and treating those infected remains the top priority for medical systems, they must also consider the other implications as hackers begin to exploit this pandemic and the risk of data breaches increases.
Cybersecurity has remained a major concern in the healthcare industry over the last decade – and for very good reasons.
In 2019, a record 41 million patient records were breached, costing patients and providers hundreds of millions.
According to IBM and the Ponemon Institute, healthcare data breaches cost an average of $408 per record, which is almost three times higher than the cross-industry average of $148 per record.
In addition, healthcare providers that violate regulations such as HIPAA often face hefty fines. For example, Advocate Health Care Network paid a settlement amount of $5.55 million for multiple HIPAA violations.
Unfortunately, tough times like a global pandemic also result in increasing cybersecurity risks. Thankfully, there are also new standards to help guide medical practices so they can implement the proper measures to protect PHI from criminals.
Why the Cybersecurity Threat is Increasing
Hackers have already started to target patients and healthcare systems during this scary time. This past Sunday, March 15, the U.S. Department of Health and Human Services’ (HHS) computer system was hit by a cyberattack. Luckily, the breach was prevented.
“Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure.”
-Caitlin Oakley, HHS Spokesperson
Scammers are also targeting patients directly in an attempt to capitalize on coronavirus fears. These hackers are posing as health authorities and providing fake coronavirus tracking maps that infect computers with malware once opened.
Compared to other verticals, the healthcare industry is particularly vulnerable outside of pandemic-related panic. Providers handle a large volume of sensitive patient information (e.g., personal information, health history, insurance information) that is highly valuable to cybercriminals. As a result, more hackers are targeting healthcare organizations.
In addition, many healthcare networks have a large number of employees, which significantly increases the likelihood of data breaches. For example, it only takes one user to click on a malicious email to introduce ransomware into the network or to leave a device unlocked and accessible to criminals.
Last but not least, because the administrative cost of running a healthcare organization has been increasing dramatically, more and more practices are using third-party vendors to help them handle tasks such as billing, payment processing, and call center functions.
As a result, PHI is shared between healthcare practices and the many vendors they use. The sensitive information is transferred between and stored at many different locations, making the data even more vulnerable to hackers.
With all the increasing threats that seem unavoidable, what can you do to ensure that your PHI is protected to minimize cybersecurity risks?
How to Protect PHI in Your Medical Practice
In order to protect PHI and stay compliant with the various industry regulations, you should implement the latest cybersecurity best practices:
- Keep track of all the devices on your network, including personal smartphones and sensors on medical devices (IoT), as well as the information they have access to.
- Stay current with software patches and updates – exploiting vulnerabilities in software is one of the most common ways for hackers to gain access to a network.
- Implement access control so that only authorized personnel can gain access to sensitive information.
- Provide cybersecurity training to all employees and contractors so they can recognize and report suspected attacks (e.g., malware or “phishing”).
- Use the latest encryption technologies to protect your data whether they’re in use, in transit, or in storage.
- Use reputable cloud computing platforms that employ teams of security experts to perform ongoing updates and maintenance, ensuring the safety of your patient data.
- Finally, if you’re outsourcing operational tasks to third-party vendors, you should make sure that they have the right security protocols and certification to help you stay compliant with industry regulations (e.g., HIPAA).
Why You Should Select HITRUST-Certified Third-Party Service Providers
Did you know that over 30% of patient data breaches involve third-party vendors?
When you outsource administrative functions such as billing and payment processing, you’re allowing the service providers to access your patients’ sensitive information.
How can you be sure that your vendors have the necessary security measures in place to protect the PHI?
Thankfully, you can eliminate the guesswork by working with companies that are HITRUST-certified, which means they’re compliant with one of the highest standards in cybersecurity.
HITRUST was developed by healthcare and IT professionals with a vested interest in maintaining the highest levels of healthcare information security. It provides a framework that helps organizations effectively manage security, privacy, and regulatory factors in health information systems that handle PHI. It’s designed to:
- Avoid data exposures by identifying risks and preventing compliance issues.
- Combat cyber attacks such as ransomware and other security breaches.
- Establish industry-wide reliability by adopting a comprehensive security framework that is audited, certified, and verifiable.
- Promote transparency with a standardized approach by allowing medical practices to verify that they’re partnering with another organization that takes the same precaution to safeguard PHI.
The high level of standards established by HITRUST means that certified entities have invested the necessary resources to protect the security of PHI and adhere to a trusted industry benchmark.
When you select a HITRUST-certified vendor, you can be certain that its processes and cybersecurity measures comply with a set of guidelines that are developed with input from the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS).
These vendors are supported by the HITRUST Cyber Threat XChange, which automates the process of collecting and analyzing cyber threats and distributes actionable indicators to help all certified entities stay at the forefront of cybersecurity.
In addition, HITRUST-certified vendors have access to the latest training in cybersecurity and participate in industry-wide security exercises conducted by HITRUST and HHS.
Protect Your PHI with a Secure Billing and Payment Processing Service
Invoicing and payment processing is one of the most commonly outsourced administrative functions. The amount of sensitive patient information handled by these vendors means you need to select a service provider that adheres to the highest security standards. In doing so,
Here at MailMyStatements, our team is regularly audited to maintain our ongoing HITRUST certification standards. When you use our billing and payment services, you can rest assured that your PHI is protected by the latest technologies according to the highest cybersecurity requirements.
Learn more about our patient statements and payment services here.
Derek Griffin is the VP of Sales and Business Development for MailMyStatements. He has over 13 years of experience as a healthcare sales executive, is experienced in multiple healthcare related fields from front office to billing and collections, and has worked in various roles within Optum, a UnitedHealth Group company and AdvanecedMD. He loves spending free time with his wife and kids, whether it is coaching the soccer team, attending dance recitals, or fixing bikes.
You can follow Derek on Twitter @Derek_Griffin1