Technical Risk Mitigation

Best practices in applying security standards

A risk-based approach to IT security focuses efforts on the technical controls that are most appropriate, based on the risks the organization is exposed to. This approach depends on existing standards to provide flexible, scalable, and cost-effective techniques that improve healthcare organizations’ security posture over time.


TECHNICAL SECURITY CHALLENGES FOR HEALTHCARE PROVIDERS

The 2019 American Medical Collection Agency (AMCA) breach exemplifies many of the technical challenges that healthcare providers face today.

With a billing vendor of the major lab companies for the entire industry at fault, the breach affects nearly every provider’s patient population, and monitoring for losses is insufficient. While that is just one event, healthcare data breaches cost the industry about $4 billion in 2019, and that number was expected to increase in 2020.1 The ever-growing volume of valuable online personal health information (PHI) creates an increasingly attractive target for hackers.

 

Top 10 Healthcare Data Breaches in 2019

  1. AMCA DATA BREACH
    25M patients affected, investigation ongoing
  2. DOMINION NATIONAL
    2.96M patients affected
  3. INMEDIATA HEALTH GROUP
    1.5M patients affected
  4. UW MEDICINE
    973,024 patients affected
  5. WOLVERINE SOLUTIONS GROUP
    Estimated 600,000 patients affected
  6. OREGON DEPARTMENT OF HUMAN SERVICES
    645,000 patients affected
  7. COLUMBIA SURGICAL SPECIALISTS OF SPOKANE
    400,000 patients affected
  8. UCONN HEALTH
    326,629 patients affected
  9. NAVICENT HEALTH
    278,016 patients affected
  10. ZOLL SERVICES
    277,319 patients affected

 

13.6% of breaches reported across all industries in Q1 2019 were specifically targeted against healthcare organizations.

67.6% of healthcare organizations that were breached during this period cannot report how many records were lost or exposed.

14.7% of all breaches involving medical records were exposed through the Internet.

Critical steps in addressing these attacks include improved network and data configurations, maintenance, and management by covered entities (CEs) and business associates (BAs). This requires that they take a risk-based approach to technical best practices for IT risk mitigation, data security, and regulatory compliance. A risk-based approach to technical controls helps organizations be more efficient and cost-effective by identifying and focusing efforts on the controls that are most appropriate, based on the risks the organization is exposed to. This approach depends on existing standards to provide flexible, scalable techniques that improve healthcare organizations’ security posture over time.


Standards to address technical risks

Healthcare organizations are required to protect personal health information in all forms, including electronic PHI. The HIPAA Security Rule (45 CFR 164.304) describes multiple standards that define the technology, as well as the policies and procedures for its use that protect electronic PHI and control access to it.