Healthcare organizations face intense challenges when it comes to cybersecurity, privacy, and compliance. New federal guidance and an ongoing convergence between security and privacy may help MSPs better protect patient information.
According to this piece in the Harvard Business Review, privacy and security are intersecting as more Internet users understand the value of the information they share online, and as more stringent requirements like the EU’s General Data Protection Regulation (GDPR) emerge.
The danger isn’t just hackers stealing your personal information anymore. Privacy has become important because of the way tech companies now use every online interaction to feed increasingly complex AI and machine learning systems. This data set gleans information about us that we may not want to be revealed.
As the HBR article states: “The biggest risk to our privacy and our security has become the threat of unintended inferences, due to the power of increasingly widespread machine learning techniques. Once we generate data, anyone who possesses enough of it can be a threat, posing new dangers to both our privacy and our security.”
The healthcare industry has already been focused on privacy thanks to HIPAA requirements. This new era of data mining and machine learning, though, poses new types of problems – protected health information could be compromised indirectly through data analysis, threatening patient anonymity.
Data loss or data breaches now have even wider ramifications. The patient record won’t just be used to steal an identity or payment information; it can be leveraged to further encroach on patient privacy. For example, a group of researchers published a paper in npj Digital Medicine describing how they were able to uncover intimate details about people’s health by using a machine learning tool to sift through search activity from the search engine, Bing, which comprised millions of English-speaking searchers from September 2015 to February 2017. Tracking a wide range of observational criteria ranging from cursor movements to repeat queries, they were able to detect (with more than 94 percent accuracy) searchers with neurodegenerative disorders such as Parkinson’s and Alzheimer’s.
Consider how an insurance company might use this kind of information when determining an applicant’s eligibility and adjusting the pricing of their services. Or, how cybercriminals could use this data (along with insights about a person’s political leanings) to intimidate or blackmail victims.
Healthcare providers in the crosshairs
Healthcare organizations remain a growing target area for cyber-attacks. Already this year, we’ve seen one large email breach at Choice Rehabilitation in Missouri, via an email account takeover. The Ponemon Institute reports that healthcare organizations spend $12.5 million on average each year on cybercrime, and that the number of successful breaches has risen more than 27 percent. The average cost of those breaches is up to $2.2 million, and according to data from the Ponemon Institute, healthcare has some of the costliest breaches per record compared to other industries.
For MSPs operating in the healthcare space, it’s vital to recognize that these breaches aren’t just a one-time loss of specific data. Patient privacy (a key focus of the HIPAA rules) is on the line. While credit card and even identity theft can eventually be contained, privacy is a lot more difficult to reestablish after a breach.
Healthcare organizations are rapidly adopting cloud solutions, mobile computing, and other technologies, often without taking the proper cyber precautions. This makes them both vulnerable and, because of the value of the data, extremely attractive to criminals.
HHS has published its latest guidance and best practices for cybersecurity, developed over two years. The guidelines are aimed at raising awareness of threats, to reduce cybersecurity risks in a cost-effective manner, support adoption of the Cybersecurity Act of 2015, and provide practical security advice for every size organization.
For MSPs, the two technical volumes released by HHS for small and medium/large healthcare organizations provide a roadmap for cybersecurity discussions with clients in this market.
The guidance is organized in such a way that MSPs can easily turn it into a checklist for clients, and the best practices within carry the authority of the agency that will investigate any potential HIPAA violations as a result of a breach. The documents cover email protection, endpoint protection, access management, data protection/loss prevention, asset management, network management, and incident response – how does your own product portfolio match up?
Healthcare clients will increasingly need guidance on protecting the influx of new technology systems they are deploying. With patient privacy on the line and the looming threat of fees and loss of reputation that comes with a breach and a HIPAA violation, those organizations should be uniquely open to the influence of a trusted, knowledgeable partner that can help them effectively address security and privacy concerns.