Hackers love personal healthcare information (PHI). Health records contain a trove of highly saleable information that can fetch high prices on the dark web.
Enlance Health found that in the past two years alone, over 800 security breaches targeting healthcare providers and health plans have been reported to the U.S. Department of Health and Human Services (HHS), exposing the sensitive protected health information (PHI) data of more than 48 million individuals.
One of the largest healthcare security breaches occurred a few weeks ago. Hackers compromised Change Healthcare, a subsidiary of United Healthcare. Company officials sent notices to customers that exposed data could include contact information, health insurance details, medical information like diagnoses and test results, billing and payment information, and personal details like Social Security numbers or ID numbers. The estimated impact of the breach is up to one-third of Americans.
Major healthcare sector cyber incidents in 2024
Recently, healthcare fintech leader HealthEquity suffered a breach. Discovered on March 25 of this year, per the company, they “took immediate action, resolved the issue, and began extensive data forensics, which was completed on June 10.” HealthEquity assembled “a team of outside and internal experts to investigate and prepare for response.” Its investigation found that the breach stemmed from the compromised third-party vendor account having access to “some of HealthEquity’s SharePoint data,” a HealthEquity spokesperson told TechCrunch.
Ascension is a healthcare provider which operates 140 hospitals across 19 states. They fell victim to a cyberattack that took down multiple essential systems, including electronic health records (EHRs), the MyChart platform for patient communication, and certain medication and test-ordering systems. The organization disclosed the attack on May 8 and said it is actively investigating it with internal and external advisers, prioritizing patient safety amid the disruption.
Healthcare remains a prime target for hackers. Managed service providers (MSPs) are often a company’s first line of defense when guarding PHI. Cam Roberson, Vice President at Beachhead Solution, has some tips on what MSPs can implement to protect customers in the healthcare vertical.
Measures for MSPs safeguarding healthcare data
Risk assessments: MSPs must perform regular risk assessments to identify potential vulnerabilities and risks to patient PHI. This is an essential part of the Health Insurance Portability & Accountability Act (HIPAA). It helps covered entities and MSPs understand their security posture and identify areas that require improvement.
“The risk assessment process involves several aspects. This includes identifying potential threats and vulnerabilities, assessing the likelihood and impact of those risks, implementing measures to mitigate those risks, and fully documenting this process,” Roberson shares.
Incident response plan: Schools and workplaces have fire, tornado, and active shooter drills. Companies need to have cyber drills. Or, at the very least, an incident response plan that is ready to implement if a breach occurs.
“MSPs must have an incident response plan in place to address security incidents or breaches,” Roberson says, adding that the plan should outline steps for investigating and responding to security incidents. This includes reporting to the covered entity and affected individuals, as required by HIPAA. An incident response plan is crucial to minimizing the impact of a security incident. It’s also crucial in preventing similar incidents from occurring in the future.”
Training and awareness: SmarterMSP.com has continually stressed the importance of training and education as inexpensive and practical tools. In the case of healthcare, they can prevent a company from breaking the law and incurring financial penalties.
“MSPs must also provide training and awareness to their employees on HIPAA compliance and security best practices. This includes training on how to handle PHI and the importance of safeguarding PHI. Also, it includes how to identify and respond to security incidents,” Roberson states. He adds that regular training and awareness programs can help MSPs reduce the risk of security incidents. It can also ensure that their employees are aware of their responsibilities under HIPAA.
Key responsibilities of MSPs in healthcare compliance
Roberson adds that MSPs are critical in helping healthcare organization clients achieve and maintain HIPAA compliance. “But to do this, MSPs must be familiar with the requirements of HIPAA and understand their role in assisting their clients. MSPs must sign BAAs, adhere to the Security and Privacy Rule, perform regular risk assessments, have an incident response plan in place, and provide training and awareness programs to their employees.”
MSPs serve as key partners in helping healthcare organizations maintain compliance and minimize the risk of security incidents. It’s important to remember that protecting PHI is crucial in staying compliant. And not only with HIPAA, but with other laws. Failure to do so can result in hefty fines.
Photo: lumberb / Shutterstock
