The cybersecurity challenges that face healthcare providers can seem staggering. Last year, the industry accounted for nearly 70 percent of all records exposed in data breaches, according to the Identity Theft Resource Center, and protected health information breaches impacted more than 113 million individuals, according to the Office for Civil Rights (OCR). Further, with health records increasing in value (surpassing credit card data) for criminals, hacking continues to rise.
Some institutions will report that they are “mostly secure.” And while awareness of threats has increased in the healthcare sector, many providers remain behind the curve on cybersecurity and lack the ability to prevent even common intrusions. Compounding the challenge for providers, state governments have responded to cyberattacks with increased scrutiny. Ever-changing laws dictate what actions a provider must take to both alert patients affected by a breach and offer remediation. Many of these amended laws expand the reach of current notification requirements, add to the definition of “personal information” and increase reporting requirements to state attorneys general.
For example, North Dakota modified its notification law to require any organization that “owns” or “licenses” state residents’ data that includes “personal information” to report the breach to the attorney general if it impacts more than 250 people. This applies even if the organization isn’t based in the state. North Dakota isn’t alone. Several other states, including Connecticut, Nevada, Oregon and Tennessee amended data breach notification laws in 2015 and 2016. And state attorneys general are making it clear that they want to be in the loop early when a breach occurs.
Navigating this increasingly complex maze of requirements from different states while simultaneously combatting data breaches is not an easy task. That’s why it’s critical for healthcare providers to prepare a comprehensive data security action plan by following these five steps:
1. Benchmark to identify vulnerabilities—A risk assessment is a key first step to help a provider determine where the greatest risks are within the organization. This helps the leadership team then determine what security resources to deploy and where to focus attention.
2. Adopt a consistent security posture—Healthcare providers need to take a consistent security stance across their organizations.