Can you guess the cost of a healthcare data breach?
For a Fortune 500 company, the cost is at least $22 million.
That was the ransom UnitedHealth Group paid hackers to restore access to its Change Healthcare software. This application is critical to UnitedHealth’s daily operations, like filling prescriptions, processing payments, and protecting patient data.
A massive data breach on this scale will also get you called to testify before a congressional committee. UnitedHealth CEO Andrew Witty confirmed he authorized payment for the ransom. Witty could not confirm whether all patient data was still secure.
This $22 million payment is expected to grow to over $1 billion in costs as UnitedHealth has become liable for lawsuits and fines related to the data breach.
Healthcare data accounts for 30% of all data generated worldwide. Although your healthcare business may not be as large as UnitedHealth, it likely contributes to this massive universal data total.
It also can make your business a prime target for thieves. The average cost of a healthcare-related data breach was $10.93 million in 2023. A robust data security plan is your best bet to protect your business from unwanted guests.
The good news is this doesn’t need to happen to you. The following 7 tips can help your company protect its data from outside threats and sidestep UnitedHealth’s current problems.
If you are a healthcare company operating in the United States, you know that HIPAA, or the Health Insurance Portability and Accountability Act, is the core regulation for healthcare data.
This law created national standards to protect sensitive health information of patients who have not provided prior consent. This information is called protected health information (or PHI). Staying compliant with this law is required for healthcare providers and their associates.
There are two components needed for HIPAA data compliance:
1. The HIPAA Security Rule – This governs how a business may handle PHI on administrative, physical, and technical levels.
2. The HIPAA Privacy Rule – This limits the use of a patient’s information to third parties without that patient providing prior authorization.
Keeping compliant with HIPAA might seem obvious. If so, why do so many healthcare companies run afoul of HIPAA? Your business must understand the latest requirements to satisfy both rules of this law. Unauthorized data use, especially in the form of a breach, can cost your company thousands of dollars per individual violation and may make you criminally liable.
In fact, the U.S. Department of Health and Human Services wants individuals to know their rights and has instructions for filing a complaint against any company not following the rules.
These heavy fines and fees are why a data breach containing users’ PHI is so scary. If the hacker leaks or uses this information related to a patient, your company is on the hook for every record they steal.
In addition to HIPAA compliance, one of the most important things your company can do is implement multi-factor authentication (MFA) for your network.
You’d be surprised by how many businesses don’t take this step. During his congressional testimony, UnitedHealth’s Witty said the accessed server was not protected by MFA.
MFA is an easy way to protect sensitive data. When a user correctly inputs a username and password, the application sends a separate authorization to another device that the user has to confirm the login.
One way to perform MFA is by setting up a third-party app on your network. Another way is to send a code as a text message to a mobile phone or through a connected email account. While these are popular methods for MFA, there are many more you can use.
While MFA is not a catch-all, it can stop the risk of a breach by between 30 and 50%. MFA is becoming more common in all workplaces, and it’s a simple way to add more protection than passwords alone.
Another way to prevent a data breach is to update all company devices and third-party applications to the latest software.
If it seems like you’re downloading a new update every few days, it’s because data thieves take advantage of vulnerabilities in your applications or operating systems. Hackers are constantly testing new ways to penetrate digital security, so being vigilant with software updates can fix weak defenses. Most times, these updates correct errors hackers use to access your data.
In addition to this, regular updates will keep your network running smoothly. These updates make your devices more efficient, which will allow your devices to do more and perform tasks faster.
Data encryption is when your company converts sensitive or private information, like PHI, into a coded language. One can only understand the data again when accessed through a decryption key—a special decoder only authorized personnel can use.
For HIPAA compliance, it would be wise to use a data encryption method. Encryption puts a strong barrier between you and would-be hackers. Even if sensitive information falls into the wrong hands, it cannot be read easily without the decryption key. This safeguard is why encryption helps satisfy HIPAA’s Security Rule referenced earlier.
Your company can add data encryption to various access points, including your applications, email, and medical devices. Because Bluetooth and Wi-Fi connectivity are everywhere, medical devices are one of the most common areas for hackers to gain network access. Consider applying encryption protection to secure your devices and workstations as well as your software.
Your technology is safest when your employees know how to act responsibly. The good news is training can help workers understand how the little things keep your company secure and why it’s important.
These trainings can cover topics as obvious as locking or shutting down workstations when they aren’t in use. This action prevents unauthorized users from sneaking behind them and finding (or even stealing) private information.
Another training can cover phishing email characteristics. Employees should be able to recognize common red flags like:
– A high-level employee asking for sensitive information
– Strange email addresses or email addresses that don’t match the sender’s organization
– Poor spelling or grammar
– An outbound link that goes to a site where it shouldn’t
– An attached invoice for an unprovided service
Topics like this and more can become regular seminars for employees. When workers understand how to protect sensitive data with simple tricks, they become good stewards of your company and its data.
Another simple way to protect your company’s data is to monitor who has access to it.
When dealing with outside vendors, limit that vendor’s access so they can only do the intended job. Restricting permissions allows a vendor to see data that’s only relevant to that particular task.
Also, be careful with employee turnover, especially for people leaving your company. As part of the offboarding process, set aside time to delete former user profiles or restrict access.
If an employee leaves on bad terms or is tempted to take advantage of prior entry, deleting these permissions during offboarding can keep your data safe.
It can be hard to know what you’re looking for when assessing your data’s security weaknesses. That’s why your company should consider outside help.
There are entire businesses dedicated to assisting companies in improving their data security. These companies can survey your risks and provide you with a comprehensive plan for maintenance and implementation.
Security specialists can give you checklists to ensure you’re taking necessary steps for digital safety. They can also invite a team member or an outside contractor to pretend to be a hacker and simulate hacking your system.
Afterward, that specialist can fix any uncovered errors, so you can focus on serving your patients.
The 7 tips above can help protect you from the costly disaster of a data breach. Like healthcare professionals, it takes a whole team to provide the best patient support. It is no different for digital security and data management.
A + L Development has the tools, talent, and know-how to protect your sensitive data. It has a suite of security and maintenance services to give you peace of mind knowing your data is secure and ready for use.
If you’re interested in working with us, message us here. Our team can put you on the right plan for your company.
An ounce of prevention is worth a pound of care (as UnitedHealth learned the hard way).