Healthcare data breaches are all-too-common occurrences these days, and they pose a significant liability risk for any organization that handles sensitive patient information. While many medical facilities feel they're doing everything possible to safeguard their data, or that they're immune from cyber attacks, the truth is a medical data breach can happen anytime, anywhere. Causes of breaches range from the failure of employees to follow appropriate data management protocols to hackers penetrating the organization's computer system and stealing patient information.
Examples of data breaches in healthcare that occurred in 2017 include:
- Henry Ford Health: A hacker broke into the computer system and gained access to 18,470 patient records.
- Mid-Michigan Physicians Imaging Center: A breach potentially impacted more than 106,000 current and former patients.
- St. Mark's Surgery Center: A four-day ransomware attack prevented access to patient data and exposed patients' names, dates of birth, Social Security numbers and medical records.
- Pacific Alliance Medical Center: A ransomware attack involved the health information of more than 266,000 patients.
- Anthem BlueCross BlueShield: A data breach impacted more than 18,000 Medicare recipients.
How to Prevent Healthcare Data Breaches
While it is impossible to protect against every conceivable threat, there are several steps you can implement to mitigate the risk of a healthcare data breach in your organization. You can:
- Perform a Comprehensive Risk Assessment: Periodic computer system risk assessments will enable you to identify and address areas of vulnerability in your organization — and maintain HIPAA compliance.
- Encrypt All Data and Hardware: Encrypt both at-rest and in-motion patient data and computer hardware, including portable devices such as laptops, smartphones and tablets.
- Provide Comprehensive Data Security Training: Keep your employees up-to-date on HIPAA privacy and security best practices by conducting periodic training sessions. This will also help to foster a security mindset throughout your organization.
- Manage Access to Patient Information: Limit employees' access to patient data based on their "need to know." Also, take steps to manage the identities of users and implement stringent password protection protocols.
- Conduct Comprehensive Third-Party Oversight: Outsourcing data management practices to third parties does not absolve your organization of responsibility in the wake of a breach or cyber attack. Carefully vet all vendors during the hiring process and keep a close watch on their activities.
- Develop a Breach Response Plan: These days, it's not a question of if a data breach will occur, but when. A carefully developed, well-crafted response plan will ensure a prompt, appropriate reaction that can minimize damage and potentially reduce any sanctions or financial penalties.
- Carry Cyber Liability Insurance: Cyber liability insurance can provide coverage for instances such as the failure to prevent unauthorized computer system access or use, inappropriate third-party actions and the mishandling of patient data. These policies offer a level of protection above and beyond what is available via general liability, directors and officers and crime insurance coverage.
As a leading provider of cyber liability insurance for the healthcare industry, Gallagher can offer comprehensive coverage that will protect your organization in the event of a healthcare data breach. Contact us for more information and a no-obligation quote today.