2017 was not a banner year for healthcare data security. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) posts that there have been over 275 large-scale breaches reported in the last 12 months. In total, more than 4.5 million individuals were affected. Based on the OCR’s list, it seems no type of healthcare organization is immune to cyber risk. Some of the nation’s largest hospital systems, health plans, and pharmacies have been targets of these attacks, which resulted in significant data breaches.
Given the high payoff for cyber criminals, the trend is likely to continue into 2018. Medical identifications, especially Medicaid and Medicare I.D.s, fetch a premium in the black market; and data ransoms have become a sizable illicit industry. A 2016 IBM Ransomware Survey found that 70% of businesses pay a ransom to get their data back after a cyber attack. And the costs go beyond these ransoms. A PwC study found that nearly 40% of consumers would abandon or hesitate using a health organization if it is hacked. The financial costs, brand deterioration, and customer impacts of a breach can be severe and take years to recover.
As healthcare organizations and their vendors rely more on storing and transmitting electronic data, the ability to be a trusted data repository becomes a greater challenge. HIPAA provides basic provisions for protecting healthcare information, but the guidelines include many gray areas and allowances that can result in misinterpretations or unclear direction about what constitutes sufficient controls. The need for a standardized and clear guideline for implementing cyber security provisions is critical for the healthcare industry to protect members and patients from largescale data breaches.
The Health Information Trust Alliance (HITRUST) has established a Common Security Framework (CSF) to answer this call. The HITRUST CSF incorporates HIPAA, HITECH, PCI, and COBIT requirements into a set of controls that can be integrated with other regulations and security standards, such as NIST, to create a comprehensive solution for protecting sensitive data. The rigorous CSF was developed by the industry’s leading security and technology experts, and features a third-party certification process to ensure an organization has implemented the framework to its intended high standards.
Healthcare organizations such as athenahealth have realized the value of HITRUST’s CSF certification; and a growing number of companies, including Anthem, Highmark, Humana, UnitedHealthcare and others, now require their business associates to obtain this certification. In an environment of aggressive cyber crime, it is time for the healthcare industry to adopt more standardized controls, such as HITRUST CSF, to safeguard stakeholders’ data and reduce the industry’s attractiveness as a target for cyber criminals.
Is your member data protected?
Doug Williams is President of Markets and Products for HMS. HMS is a HITRUST CSF Certified company.