Cybersecurity Lessons, You Shouldn't Learn Them the Hard Way

Published in Member Communities on October 08, 2018

As a healthcare professional, you tell your clients to take preventative steps in regards to their health. Are you taking this same advice when it comes to their data protection? As a major US industry player, healthcare organizations are a top target for criminals looking to steal protected data. Unfortunately, they are also one of the top industries falling behind when it comes to cybersecurity.

While there are a variety of reasons for this, what we want to focus on in this blog is the importance of constantly securing patient data against possible cyber-attacks. Here are a few real-world examples of what can happen when healthcare organizations don’t follow proper data protocol:

1. Don't Put Off Software Updates

Procrastination and cyber protection do not belong in the same sentence. It is incredibly important to be at the forefront of providing updates to all of your devices in order to make them impregnable to hackers. Delaying updates puts your devices and data at risk.

Lesson: Misfortune Cookie was discovered in 2014, but not addressed by those using medical gateway devices until this year when it became a major issue. Without an update, a hacker could gain access to admin-level privileges to medical devices. Even the update will not apply to some versions, and we can only hope that those hospitals will disable those web servers. Not updating vulnerabilities when they are first recognized will allow this to happen again and again.

2. Make Sure Your Devices and Important Documents Are Password Protected

A large part of complying with this is employee training. In healthcare facilities, there are diverse levels of employees with access to Protected Health Information. Typically, these are accessed in thousands of different devices throughout the building. These devices keep patients alive and hold records of vital health information that criminals would love to exploit.

This is why ramping up your security measures are so important. We recommend reiterating to employees how important security is to patient lives and implementing multi-factor authorization.

Lesson: The University of Mississippi Medical Center agreed to a $2.75 million dollar HIPAA settlement. They incurred a data breach that impacted 10,000 individuals because of poor password protection. A password-protected laptop was stolen by a hospital visitor who was able to easily gain access to thousands of files. If they had taken the proper password and physical security measures, this risk could have been eliminated.

3. Continuously Perform Risk Assessments

Cybersecurity is not a one and done deal. As attackers change their tactics to commit crimes against you and your patients, you need to continually adjust your defenses. Procrastination and cyber ignorance are your enemies. You want to have an IT partner who is an expert in assessing your risks. They should be monitoring, analyzing and detecting threats to your institution and provide a timely solution.

Lesson: St. Elizabeth Medical Center paid a settlement of $218,400 because of HIPAA violations. There was staff use of a cloud-based file sharing application that was never evaluated and resulted in putting 500 patients’ PHI at risk. If they had been continually conducting risk assessments, this could have been avoided.

We sincerely hope that you never have to learn these lessons the hard way. Contact us today for a proactive Vulnerability Assessment to determine your risk landscape.


comments powered by Disqus

From Our Experts

Audits and Condition of Payment Prior Authorization Resume August 3! thumbnail Audits and Condition of Payment Prior Authorization Resume August 3! On Aug 3 audits will resume from the suspension during the public health emergency. In addition, items requiring prior authorization (Power Wheelchair Bases and Pressure Reducing Support Surfaces with an initial date of service Aug 3 must have a prior authorization. This was temporarily optional during the public health emergency but that option will end with initial dates of service Aug. 3. Billing and Reimbursement Chat with the Experts: CMS-1713, Telehealth Moving Forward, and New ABN thumbnail Billing and Reimbursement Chat with the Experts: CMS-1713, Telehealth Moving Forward, and New ABN Ronda Buhrmester and Dan Fedor discuss the rule CMS-1713 related to Change in Orders and Face to Face, including master list and required list, as well as SWO recommendations. They also chat about the current and future environment for DMEPOS providers as far as telehealth, continued need for ongoing rentals, supplies and repairs, and a new ABN. CMS Directs Auditors to Get Back to it on August 3; Prior Auth Programs Get the Greenlight Too thumbnail CMS Directs Auditors to Get Back to it on August 3; Prior Auth Programs Get the Greenlight Too The van Halem Group released a blog stating that beginning August 3, MACs, RACs and the SMRC will 'flip the switch' and reinstate their audit functions. CMS notes that the waivers and flexibilities in place at the time of the dates of service of any claims potentially selected for review will also be applied. Packer Perspective: How U.S. Rehab Can Help You Show Your Worth thumbnail Packer Perspective: How U.S. Rehab Can Help You Show Your Worth “Ask not what your country can do for you - ask what you can do for your country.” - John F. Kennedy I love this quote, and it was delivered during a time that was not easy by any means. It also came from a great American who lost his life working to help this great nation. We are going through a lot of turmoil with COVID-19 and our industry, so we are making do with new methods of treatment and healthcare. Pitt Announces New One-Year Masters and Graduate Certificate in Rehabilitation Technology thumbnail Pitt Announces New One-Year Masters and Graduate Certificate in Rehabilitation Technology The University of Pittsburgh Department of Rehabilitation Science and Technology has announced a new 35-credit Master of Rehabilitation Technology (MRT) degree beginning in the fall semester of 2020. The degree can be in one year of full-time study or part-time. The program includes weekly remote classes and in-person labs conducted over one 4-day weekend per semester in Pittsburgh. Home Medical Equipment Providers: An Underappreciated Solution (Until Now) thumbnail Home Medical Equipment Providers: An Underappreciated Solution (Until Now) Miriam Lieber wrote a guest blog for Salient Value about some of the recent wins for DMEs and how they have adapted during COVID-19. Discover Why All Providers Need to Know About Wound Care thumbnail Discover Why All Providers Need to Know About Wound Care Listen in as we talk with Heather Trumm, Director of VGM Wound Care about the importance of all DMEPOS providers paying attention to wound care. Heather also covers new education materials available for VGM Members, and resources that can help you get started in wound care. Discover Why All Providers Need to Know About Wound Care thumbnail Discover Why All Providers Need to Know About Wound Care Listen in as we talk with Heather Trumm, Director of VGM Wound Care about the importance of all DMEPOS providers paying attention to wound care. Heather also covers new education materials available for VGM Members, and resources that can help you get started in wound care.