It’s a new year with new challenges. 2022 might be shaking up the healthcare industry with new cyber threats.
“Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety,” the Cybersecurity and Infrastructure Security Agency (CISA) warned in its latest CISA Insights report.
Healthcare security addresses safeguarding data and systems. Privacy addresses safeguarding identity and specific parts of data. Both are critically important for organizations.
There are basically three types of cybersecurity threats that worry healthcare systems: external, credentialing, and internal.
External threats, often coming from hackers, usually get the most attention. Those threats copy, steal, ransom or move data around. They’re often undetected for long periods of time.
The misuse of permissions or authorizations, where the means of access is lost, stolen or misapplied, are credentialing breaches. Data from electronic health records (EHRs) and other electronic health information (EHI) can be maliciously used for identity theft.
An internal threat is any kind of damage that can be done from within an organization, regardless of intent.
Data breaches are generally less harmful to organizations than attacks that disrupt or stop the functioning of daily business. However, highly publicized breaches can have severely damaging effects on the organization.
No organization in any industry can attain a 100% cybersecure posture regarding all threats, but the identification of risks and vulnerabilities with the use of the Health Insurance Portability and Accountability Act (HIPAA) Security Risk Analysis (SRA) is crucial.
“Healthcare organizations, health plans, and business associates are required to perform a HIPAA Security Risk Analysis (SRA) on an annual basis to maintain their HIPAA compliance and fulfill their responsibilities to secure and protect PHI.
A security risk analysis (SRA) identifies risks and vulnerabilities that can leave an organization susceptible to a data breach resulting in compromised health information. Organizations that complete and review their SRA on an annual basis have the policies, procedures, and documentation in place to fulfill their obligations to PHI security and privacy, address security incidents as they happen, and provide documentation for due diligence in case of an audit.”
HIPAA-covered entities are required to follow certain rules surrounding the handling of protected health information (PHI). But health apps, which may possess equally important health data, are not covered entities.
A huge problem is the increased use of health-related information created, gathered and collected outside of the scope of the HIPAA rules, such as mobile apps, wearables, personal health records, etc. This information is generally not subject to HIPAA.
Healthcare privacy and security is a complex area. There is a delicate balance between keeping patient data secure and sharing it. Rules allowing patients to have free access to their health data can conflict with HIPAA or state laws to protect privacy.
As healthcare organizations prepare for the year that lies ahead, the ability to adapt to the ever-changing landscape of threats is crucial to success.