During the first half of 2017, cybercrooks were at it again. According to the U.S. Department of Health and Human Services, the sad balance stands at 149 breaches affecting a total of nearly 2.7 million individuals.
The 5 Largest US Health Data Breaches in H1, 2017
|Entity||# Individuals Affected||Breach Type|
|Commonwealth Health||697,800||Theft by former employee|
|Airway Oxygen||500,000||Hacker / Ransomware|
|Urology Austin||279,663||Hacker / Ransomware|
Source: U.S. Department of Health and Human Services
The financial consequences for a hacked healthcare organization are devastating, as the Anthem breach illustrates. Back in 2015, hackers gained access to the corporate database of health insurer Anthem Inc., getting away with an estimated 80 million data of current and former U.S. customers and employees. The health insurer agreed to pay $115 million to the victims pending approval from the federal court to settle the more than 100 lawsuits that had been filed against Anthem. It is unknown how much in HIPAA penalty fees Anthem had to pay to the HHS.
Let’s have a closer look at HIPAA, the Health Insurance Portability and Accountability Act. This United States legislation provides data privacy and security provisions for safeguarding medical information. Signed into law by President Bill Clinton on August 21, 1996, it standardizes the electronic transmission of administrative and financial transactions. To become HIPAA compliant, cloud service providers and other business associates of healthcare organizations must also comply with the HIPAA privacy, security, and breach notification rules.
Furthermore, the HIPAA Security Rule requires healthcare organizations to implement three types of safeguards: 1) administrative, 2) physical, and 3) technical. In addition, it imposes other organizational requirements such as keeping HIPAA compliant Security Rule documentation.
Outside of the US, Australia, Japan, the UK, and the EU are also working on legislation to protect civilians’ private and medical data. If we look at the EU, we see that it took a different approach than the US. Where HIPAA is industry-specific, the General Data Protection Regulation (GDPR), is designed to protect the privacy and personal data of all European Union residents. The GDPR impacts all organizations worldwide that collect personal information about EU residents. Non-compliance with GDPR has serious financial consequences. Approved in 2016, GDPR will come into effect on May 25, 2018.
What does this all mean for health organizations? Well, to become and remain compliant, they must perform risk analysis as part of their security management processes. The risk analysis process for determining which security measures they should implement includes the evaluation of the likelihood and impact of potential risks on their data and systems.
Remaining compliant is a main worry, and ongoing risk analysis will give organizations peace of mind. Regular review of the security of the organization’s data and systems will expose weak points that can be exploited for unauthorized access to data and for data leakage. Ongoing risk assessments will test the vulnerability of the organization’s systems and data for potential security incidents such as (spear) Phishing and ransomware attacks, as well as employees’ susceptibility to using social engineering exploits .
For healthcare organizations, especially those that have to e HIPAA compliant, Cymulate provides a sophisticated, highly effective, and easy-to-use Breach and Attack Simulation assessment platform. Health organizations can easily deploy the plug & play Cymulate solution to their network. Once installed, it performs offensive and defensive actions to expose critical vulnerabilities. More specifically, the platform simulates multi-vector cyberattacks from an attacker’s perspective. This enables the healthcare organization to take preventive action before an actual attacker has a chance to exploit its weaknesses and get away with invaluable patient and medical data that could result in hefty penalty fees and multiple lawsuits. Cymulate made the testing procedure fast and easy to perform on demand, anytime and anywhere. For healthcare organizations, Cymulate recommends regular testing, at least once a month.
Do you want to know if your healthcare organization would be able to withstand a multi-vector attack? Do you want to understand your security posture as mandated by HIPAA? If yes, sign up for our FREE trial without any obligation. See for yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues to remain HIPAA compliant.
Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.
Don’t speculate, Cymulate