During the first half of 2017, cybercrooks were at it again. According to the U.S. Department of Health and Human Services, the sad balance stands at 149 breaches affecting a total of nearly 2.7 million individuals.
The 5 Largest US Health Data Breaches in H1, 2017
|Entity||# Individuals Affected||Breach Type|
|Commonwealth Health||697,800||Theft by former employee|
|Airway Oxygen||500,000||Hacker / Ransomware|
|Urology Austin||279,663||Hacker / Ransomware|
Source: U.S. Department of Health and Human Services
The financial consequences for a hacked healthcare organization are devastating, as the Anthem breach illustrates. Back in 2015, hackers gained access to the corporate database of health insurer Anthem Inc., getting away with an estimated 80 million data of current and former U.S. customers and employees. The health insurer agreed to pay $115 million to the victims pending approval from the federal court to settle the more than 100 law suits that had been filed against Anthem. It is unknown how much in HIPAA penalty fees Anthem had to pay to the HHS.
Let’s have a closer look at HIPAA, the Health Insurance Portability and Accountability Act. This United States legislation provides data privacy and security provisions for safeguarding medical information. Signed into law by President Bill Clinton on August 21, 1996, it standardizes the electronic transmission of administrative and financial transactions. Cloud service providers and other business associates of healthcare organizations must also comply with the HIPAA privacy, security and breach notification rules.
Furthermore, the HIPAA Security Rule requires healthcare organization to implementation three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements such as keeping HIPAA Security Rule documentation.
Outside of the US, Australia, Japan, the UK and the EU are also working on legislation to protect civilians’ private and medical data. If we look at the EU, we see that it took a different approach than the US. Where HIPAA is industry-specific, the General Data Protection Regulation (GDPR), is designed to protect the privacy and personal data of all European Union residents. The GDPR impacts all organizations worldwide that collect personal information about EU residents. Non-compliance with GDPR has serious financial consequences. Approved in 2016, GDPR will come into effect on May 25, 2018.
What does this all mean for health organizations? Well, to become and remain compliant, they must perform risk analysis as part of their security management processes. The risk analysis process for determining which security measures they should implement, includes the evaluation of the likelihood and impact of potential risks on their data and systems.
Remaining compliant is a main worry, and ongoing risk analysis will give organizations peace of mind. Regular review of the security of the organization’s data and systems will expose weak points that can be exploited for unauthorized access to data and for data leakage. Ongoing risk assessment will test the vulnerability of the organization’s systems and data for potential security incidents such as (spear) Phishing and ransomware attacks as well as the susceptibility of employees for exploits using social engineering.
For healthcare organizations, especially those that have to comply with HIPAA regulations, Cymulate provides its sophisticated, highly effective and easy to use Breach and Attack Simulation assessment platform. Health organizations can easily deploy the plug & play Cymulate solution to their network. Once installed, it performs offensive and defensive actions to expose critical vulnerabilities. More specifically, the platform simulates multi-vector cyberattacks from an attacker’s perspective. This enables the healthcare organization to take preventive action before an actual attacker has a chance to exploit its weaknesses and get away with priceless patient and medical data that could result in hefty penalty fees and multiple law suits. Cymulate made the testing procedure fast and easy to perform on demand, anytime and anywhere. For healthcare organizations, Cymulate recommends regular testing, as least once a month.
Do you want to know if your healthcare organization would be able to withstand a multi-vector attack? Do you want to understand your security posture as mandated by HIPAA? If yes, sign up for our FREE assessment without any obligation. See for yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues to remain HIPAA compliant.