Ransomware Resilience: How HIPAA Assessments Can Fortify Healthcare Data Security

In the first half of 2024 two significant cyber-attacks targeted U.S. healthcare organizations. On February 21, Change Healthcare, a subsidiary of conglomerate UnitedHealth Group, announced it had been hacked leading to a rippling effects across the country. Similarly, on May 8, unusual activity was detected on multiple network systems used by Ascension, a major U.S. health system with around 140 hospitals across 19 states.

Data from The HIPAA Journal (Jan 31, 2024) highlights an increase in reported data breaches in the healthcare industry since 2009. We emphasize “reported” here because it’s important to remember that many data security incidents go unreported, which would further increase the statistics.

Image Source

Regarding  the types of data breaches, ransomware attacks have been the predominant cyber threat facing the healthcare industry. Between 2016 and 2021 the number of ransomware attacks more than doubled, (Source, NPR). Compared to other industries, the healthcare sector is also the most highly impacted by ransomware attacks.

Image Source

This raises the question, why is the Healthcare industry so vulnerable to cyberattacks?

Healthcare organizations are attractive targets for cyber criminals due to the large volume of electronically stored PHI (protected health information) and PII (personally identifiable information). From electronic medical records to insurance and billing information, healthcare systems hold a wealth  of sensitive data that has  high monetary value on the black market. Obtaining this data allows attackers to demand substantial ransom payments.  

From a security posture perspective, there is a significant gap in data security infrastructure. This lapse can be attributed to a confluence of factors: budgetary constraints, legacy software systems attempting to interface with specialized medical technologies, unpatched software vulnerabilities and challenges in attracting skilled IT security professionals. As a result networks are highly susceptible to ransomware infiltration through techniques such as phishing and remote desktop protocol attacks.

So, how can healthcare organizations strengthen their security posture and prevent cyber criminals from gaining unauthorized access through methods like ransomware? One strategy is to conduct regular HIPAA Assessments and compliance monitoring.

The Origins of HIPAA for Healthcare Providers

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996. Prior to HIPAA, there were no comprehensive federal standards governing the use and disclosure of patients' medical records. Overtime HIPAA has evolved with advancements in technology and the growing need to protect the privacy and security of individuals' PHI and ePHI (electronic personal health information).

Utilizing Third-Party HIPAA Assessments as a Solution

While HIPAA offers clear guidelines, achieving compliance is a multifaceted and constant challenge for healthcare organizations. By leveraging the expertise, objectivity and thorough comprehensive approach of third-party HIPAA assessors, healthcare organizations can identify vulnerabilities, and implement strategies to strengthen their security posture and compliance.

• Objective and Impartial Evaluation: Third-party assessors offer an unbiased, external perspective such as our team at Capsicum Group. We can uncover potential gaps and vulnerabilities that internal teams might overlook due to unconscious bias, or familiarity in their own work.
• Expertise and Familiarity with Regulations: Capsicum, for instance has extensive, up to date knowledge with evolving HIPAA requirements, and experience applying these  regulations across diverse healthcare settings. We can provide tailored guidance, including audit controls, incident response protocols, contingency planning, and best practices to address organization-specific security challenges.
• Comprehensive Risk Analysis: Assessments entail a thorough review of an organization's policies, procedures, technical safeguards, and employee training related to HIPAA compliance. This comprehensive analysis helps in identifying and mitigating potential risks. For instance, part of the breach involving the UnitedHealth Care network stemmed from a lack of multi-factor authentication. A robust HIPAA assessment includes an in-depth evaluation of access controls, including establishing audit trails and monitoring PHI access for multi-factor authentication events. This process allows IT teams to track who accessed PHI and from where, adding  an additional layer of accountability. 
• Guidance During Self-Audits: HIPAA mandates periodic self-audits, navigating regulatory intricacies can be a daunting without expert assistance. Leveraging third-party HIPAA experts, enables healthcare organizations to navigate  self-audits confidently, ensuring they safeguard sensitive patient data and fulfill regulatory obligations. 
• Ongoing Risk Assessment Support: Continuous  support services, such as regular audits, policy updates, and employee training, are crucial  for maintaining  data security as regulations evolve and new threats emerge.
• Comprehensive Reporting: As third-party evaluators, Capsicum provides detailed reports documenting clients’ compliance efforts, identified vulnerabilities, and the overall status of their security posture. These reports demonstrate the organization's commitment to protecting sensitive data and serve as a foundation for maintaining continuous compliance standards and preventing cyber-attacks.

Organizations can proactively mitigate cybersecurity risk and maintain regulatory compliance and patient data privacy without taking away precious internal resources by teaming with a trusted third-party partner such as Capsicum Group. It's crucial to recognize that even with robust HIPAA compliance, no organization is completely immune to cyberattacks due to the ever-evolving nature of technology. Hence, HIPAA assessments should be combined with ongoing security monitoring, timely patch management, and implementation of advanced threat protection measures to establish a comprehensive defense system for data security.