PHI Breaches – 3 Risks to Prioritize in 2018
Earlier this month, Verizon released their annual Protected Health Information Data Breach Report (PHIDBR). While Verizon’s insights into the cybersecurity challenges that are facing healthcare are always of interest, their findings shouldn’t come as a surprise to the lawyers, security engineers, and compliance officers fighting in the trenches to protect their organization’s PHI. This year’s PHIDBR delves into a number of threats, but here are three in particular that should stay at the top of your risk assessment in the next year:
1. Laptops walk away. Are you protected? Continuing a trend from previous years, one of the most prevalent sources of PHI breaches is also one of the easiest to control. If you store PHI on movable media, make sure it is encrypted. Turning on BitLocker or File Vault can be done in minutes, transparently to your users, and could have made a difference in about 10% of all of the PHI breaches reported to OCR last year. Where PHI is involved, make encryption the rule, not the exception.
2. Just because bitcoin crashed, doesn’t mean that ransomware did. Verizon’s research bears out what we probably already knew, ransomware is far and away the most common way that outside attackers compromised systems containing PHI in 2017. While there’s no silver bullet to combating the threat, maintaining robust patching programs and keeping anti-malware solutions up to date and deployed everywhere are the minimum first steps, and can go a long way. Also, don’t forget about business continuity. Good and, more importantly, readily available backups can be the difference between getting back on your feet and paying out that (now a little less valuable) bitcoin.
3. Outside threats are flashy, but don’t let them blind you. While proverbial barrels of electronic ink have been spilled in the last year warning everyone about threats from hackers who wish to do harm or make a quick buck, the two largest categories of threats start from behind the walls. Whether the result of a malicious insider, or an unintended mistake, almost 2/3 of last year’s breaches were caused by insiders, not outsiders. For these threats, establishing routines is key. Make sure your workforce is vigilant, both to unintentional error and intentional misuse, monitor systems that maintain PHI, and always go back and verify the effectiveness of your technical controls. Security is only as good as the workforce that maintains it.