Every month I compile a list of health care data breaches and HIPAA violations. These blogs aren’t comprehensive by any means, and I know that it’s likely that I miss a few stories. These lists do, however, serve as a stark warning to health care organizations that they need to address information security as a matter of priority.
Now, a new KPMG report (Health Care and Cyber Security: Increasing Threats Require Increased Capabilities) confirms that there’s a lack of cybersecurity investment in the health care industry. According to the report, 80% of executives at surveyed health care providers “say their information technology has been compromised by cyber-attacks.”
Top information security concerns according to KPMG are:
- Malware infecting systems – 67% of respondents
- HIPAA violations/compromise of patient privacy – 57%
- Internal vulnerabilities (employee theft/negligence) – 40%
- Medical device security – 32%
- Aging IT hardware – 31%
Health care industry “behind” other industries
The report continues:
“In terms of technical capabilities, the healthcare industry is behind other industries in protecting its infrastructure and electronic protected health information (ePHI) – as commonly seen in the use of outdated clinical technology, insecure network-enabled medical devices, and an overall lack of information security management processes.”
The report concludes that investment in cybersecurity “has not resulted in adequate security in many areas.”
Michael Ebert, KPMG partner and healthcare leader at the firm’s Cyber Practice, comments that the “spending rate is probably underinvested considering that the threat to an organization has increased so much.”
The Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities. HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.