Doctor holding healthcare and medical data paperwork

What Healthcare Professionals Can Learn From the Latest Meta Scandal

With the revelation in June that social media giant Meta has been scraping sensitive information, including medical data from hospital websites, a microscope has again been turned on the security of data in the healthcare industry.

Because of the Health Insurance Portability and Accountability Act (HIPAA), healthcare companies have more responsibilities to protect customer data and inform people when data breaches occur compared with other industries.

This could be part of the reason why healthcare is typically overrepresented in statistics on cybercrime, with the Internet Crime Complaint Center (IC3) observing that healthcare reported 23% of all complaints in 2021, the highest percentage of any industry. Healthcare is also particularly vulnerable for a number of other reasons, including the combination of physical and digital data and the higher resale value of stolen medical data.

Data leaks in healthcare have risen by 84% in the last 4 years and healthcare firms spend around $1 million per year per firm on data breaches. Many healthcare professionals will have robust security processes in place but issues like the Meta scandal emphasize the importance of regular and consistent data security awareness.

How to prevent loss of hard data

Physical data like paper records is typically more vulnerable than digital data as security is not as advanced and it’s less likely to be backed up. While physical data is less common today, ensuring your paper records are secure is still essential.

●     Have a compliant storage timeline

HIPAA requires medical companies to store medical records for six years from the time they were created or from when they were last used. This means you’ll need to ensure the secure storage of data for six years and have practices in place to destroy data once this time has been reached. If your organization is unable to digitize records, ensuring staff understand the correct admin processes to mark and update expiry information on physical records is essential.

●     Avoid human error

Human error is the most common cause of data misuse and the best way to keep this to a minimum is through regular training and awareness. The data security landscape is constantly changing so anybody interacting with sensitive information should be receiving consistent training in how to store and destroy data properly.

●     Create back-ups

Digital back-ups are a useful way of ensuring that nothing is lost when physical data is stolen which can help maintain trust from your patients even in the face of a data breach. However, keeping back-ups all in one place can pose a threat from cybercriminals, so you may want to discuss with cybersecurity experts on the best way to diversify your back-ups.

●     Follow proper data destruction process

There are two data destruction processes that are typically used in a medical setting. You can choose to use a locked shredder bin which is then transferred to an industrial shredding machine where paper is destroyed and baled, making it easier for recycling. This option helps your practice save money and improves recycling rates.

Alternatively, you can use a decentralized shredding solution where every office that needs a shredder has one. This approach means sensitive information is destroyed as soon as it’s no longer needed and is typically more secure.

How to prevent cyber attacks and data leaks

Each HIPAA violation can cost between $100 and $50,000/per patient record for healthcare providers who have not put strong security measures in place, highlighting why it’s so vital that all medical professionals have strong security awareness.

There were almost 150 reported data breaches from healthcare companies in 2021. Follow these steps to ensure digital data is as secure as possible.

●     Avoid human error

Again, human error is consistently the most common cause of data leaks. Every member of staff should have an understanding of how to avoid fraud, phishing and computer viruses. Cybersecurity is everyone’s responsibility and, with the potentially sky high cost of lost data, rigorous training is the best way to avoid falling victim to cybercriminals.

●     Invest in cybersecurity

By 2025, healthcare spending on cybersecurity in the US is predicted to grow to $6.77bn from $4.59bn in 2020. It’s easy for healthcare bosses to get complacent to the threats of criminal actors but Fitch Ratings observed a rise of over 10,000 patients affected between 2020 and 2021, meaning cyber threats are actually getting more dangerous and affecting more people.

●     Keep hardware updated

Some healthcare practices may not have the budget to regularly purchase new technology and older devices are typically more vulnerable to attacks. Ensuring all updates are regularly installed for all machinery is a vital step to head off cybercriminals before they can gain access to your networks.

●     Understand data destruction

Whenever you dispose of old technology, it’s absolutely vital to follow the proper data destruction processes. Even if your data is encrypted, hard drives need to be degaussed and physically destroyed to ensure the data is removed forever.

How to approach informing patients

With so many security risks to face down, it’s not always possible to avoid a data breach. HIPAA requires healthcare professionals to inform patients of data breaches and even requires companies to inform local media if the breach affects more than 500 patients. Getting the message right will be essential to protecting your reputation and trust with patients.

●     Have an incident response plan

You’ll need to make sure your patients know you’ve taken every step to keep their data safe so preparing an incident response plan ahead of time will help demonstrate this. The plan should include how to document the breach, who should be contacted when a breach is discovered and how to prevent reinfection.

●     Provide information on the breach

In your communication with patients, you’ll want to preserve as much trust as possible. Therefore, you need to be transparent with the affected individuals and inform them of how the breach occurred, whether the affected data can be accessed and how you’ll make sure it never happens again.

●     Inform local media

You are legally required to inform local media if the breach affects more than 500 patients which can be a serious issue in terms of lawsuits and reputation damage. The best approach for this is to be as prepared as possible for the event of a breach so you can communicate effectively all the steps the company takes to avoid leaks and what steps you will be taking to improve your security going forward.

How to manage liability and potential lawsuits

Last year, 43/58 of data breach lawsuits were filed against healthcare organizations. In addition to the huge costs related to loss of data, healthcare companies may then face compensation costs from affected patients.

●     Cyber insurance

Cyber insurance could be a useful investment for healthcare companies as this will help cover the costs should a major breach happen. Be sure to research whether lawsuits are covered before investing in a cyber insurance plan.

●     Review your incident response plan

Your incident response plan can help prove your capability in the face of lost data. Should you be liable to your patients, have everything ready to show you took steps to keep data secure before the breach, e.g. encryption and security training.

Many #healthcare professionals will have robust #security processes in place but issues like the Meta scandal emphasize the importance of regular and consistent data #securityawareness. #respectdataClick to Tweet

Ensuring healthcare data security

In the context of data breaches, prevention isn’t even enough to ensure that data won’t be lost so having plans in place to deal with breaches when they happen is something that every company should commit to. In addition to this, training and awareness for all staff is essential and should be followed at every level in your company.