Healthcare Data Security Statistics that May Surprise You

Have you noticed the influx of Updated Privacy Policy notifications in your inbox?

Companies in the European Union – and any company anywhere with EU customers – are scrambling to meet the General Data Protection Regulation (GDPR) compliance deadlines. It’s just a matter of time before stricter privacy control legislation is imposed in other parts of the world.

The protection of personal data is an increasingly hot topic. With every news report of lost, stolen or hacked data, we all become a little more uneasy. Businesses ramp up their focus on protecting their clients, and customers focus on themselves.

With recent high-profile breaches of protected health information (PHI) at companies like Anthem and Allscripts, consumers are more worried than ever about their personal data being compromised. It seems to be a double-edged sword. Consumers are wary of sharing personal information – financial and health-related data top the list. Yet as patients, we expect health professionals to have complete access to our health profiles and background in order to make critical diagnoses, quickly.

The very nature of this information makes the healthcare industry a prime and profitable target for criminals. As you would expect, data security for the users of our dental and medical practice management software has always been a priority.

So naturally, I was intrigued by the findings of Verizon’s 2018 Protected Health Information (PHI) Data Breach Report. I came across a recent article by Suzanne Widup of Verizon’s Security Research Team summarizing findings from 1,368 incidents within the healthcare sector covering 27 countries. Interestingly…

  • 58 % of incidents involved insiders. Whether driven by financial gain, such as tax fraud or opening lines of credit with stolen information (48 %); curiosity in looking up the personal records of celebrities or family members (31 %); or simple convenience (10 %), poor internal controls pose a major threat to an organization.
  • 70 % of incidents involving malicious code within the healthcare sector were ransomware infections.
  • 27 % of incidents related to PHI printed on paper. Cyber hacking may be in the news, but it seems real breach activity can also be found in the paper trail. Mailed or faxed prescription information, billing statements, copies of ID and insurance cards… these printed documents are commonly mis-delivered, lost or thrown away without shredding.
  • 21 percent of incidents involved lost and stolen laptops containing unencrypted PHI.

At ABELSoft, our Privacy and Security Specialists are intimately involved at every step of product development and quality control. They champion control and vigilance with internal stakeholders as well as with every software user. Here are several short- and long-term measures suggested by Verizon and by our internal team to lessen the risk of some of these challenges.

a. Full Disk Encryption provides an effective and relatively low-cost method of keeping data out of the hands of criminals.

b. Integrated controls (like ABELSoft’s Authorization Manager, for example) define user roles and access requirements.

c. Documented policies and procedures that mandate routine monitoring of internal access demonstrate commitment to vigilance and repercussions.

d. Staff education regarding these policies is critical.

e. Preventive controls for defending against malware installation are key, as is minimizing the impact that ransomware could have against your network.

f. Unfortunately, ransomware attacks will not always be prevented. There are cases where protective technology gets breached and humans get misled. Good backups become the only recourse when preventative measures fail (other than paying the ransom or starting over, which are both unacceptable solutions).

g. Practices should work towards a reduction of paper-based PHI in their environments, and establish a holistic risk management program that protects not only ePHI, but also other sensitive data that they store and process.

As much as we like to think that we have become cyber-aware and digitally vigilant, we know that hackers and sophisticated criminals will try to get past our defenses. We cannot assume that our team members intuitively understand the importance of privacy and security of healthcare data. They must be educated, reminded and monitored to make sure that you remain the reader of cybercrime news reports… and not the subject.

Read the 2018 Protected Health Information Data Breach Report

Related Posts:

3 keys to cyber security: protect, detect and respond

Pharming and Phishing and Smishing… what next? (re-post)

In Control… or not? It’s up to you

Going Cloud: Three Common Myths Busted

The more I discuss cloud computing with dental practitioners, the more I recognize that there’s as much dis-information floating around as there are facts you can count on.

Moving to a cloud-hosted model is a big decision. Most companies choose it for business agility and cost savings. But there are drawbacks to consider. That’s why ABELDent now features a hybrid solution: Our practice management software users can enjoy all the advantages while minimizing the risk.

To help you separate fact from fiction and support any level of migration to the cloud, I thought it might be helpful to share the truth about the most common myths:

  1. If our data moves to the cloud, our business will no longer have control over our technology.

    Not so!  You still have total control over technology, but your IT department won’t have to worry about constant updates. The time they’re now spending on maintenance and software upgrades will be significantly reduced, allowing them to focus on advancing your organization’s technology and business operations.

    Instead of spending your capital budget on servers, you can think strategically about reinvesting those funds into growth initiatives. (Hmm… what else could I do with those savings?)

  2. Keeping our data on premise is safer than in the cloud.

    Not so!  It’s becoming increasingly clear that companies are routinely hacked without ever knowing it. Your practice may have a security expert, or use the services of a third-party professional. However, most companies can rarely assemble a team large enough to uncover and protect against the hundreds of possible alerts that come through each day.

    Cloud data centres like Microsoft Azure – our proven choice – are singularly focused on security and built with scale in mind. A dedicated team maintains security at the pinnacle of industry standards, using a wide range of processes and regulatory compliance expertise, to prevent, detect and mitigate breaches.

  3. Corporate spies, cyber thieves and governments will have access to my data if it is in the cloud.

    Not so!  This is a top fear about the cloud among many businesses, but it is unfounded. It’s your data, not anyone else’s. You determine access and options, rights and privacy restrictions. Strict controls and design elements prevent your data from mingling with that of other organizations. Physical access to data centres is secured and monitored continuously, and all data centre staff must follow stringent data access protocols.

    A respected provider like MS Azure guarantees that your data will not be mined for advertising or for any purpose other than providing services you have paid for. If you choose to leave the service, you take your data with you.

The more I learn, the more the benefits of cloud computing make solid business sense, especially within the context of our hybrid solution for dental practitioners. As always, we’ve dedicated our development resources to making sure we address the needs, concerns and real-world priorities of our users. Read more about our Best of Both Worlds solution. And please share this with any colleagues who need help separating fact from fiction when it comes to the cloud. It’s good to be on the same page: You’ll save time by not having to argue about these myths.

Once just a Threat to Dental Practices, Ransomware has hit Prime Time!

This is my third blog post about cybercrime – ransomware specifically – and the danger it poses to your dental practice management software and data. Last year, I reported that the security company McAfee had charted a 165% year-on-year increase in ransomware attacks.

I also passed along OntarioMD’s bulletin advising extra vigilance about data security; since then, I had not heard of any specific incident involving this nasty activity. Until the middle of December, that is, when I sat down to watch one of my favourite TV shows. I find Grey’s Anatomy quite informative, as guilty-pleasure TV goes. The episode dealt with a data hostage crisis that shut down all electronic systems from OR monitors and equipment to ICU life-support systems and code-locked supply closets and exits. The season-ending cliff hanger saw the Chief of Staff and the FBI at loggerheads over negotiating a multi-million bitcoin ransom exchange. Cannot wait for Part 2.

Grey Sloan Memorial’s life-threatening cybercrime makes for great TV, but it is the kind of drama you definitely don’t want or need. Your practice data is your lifeline to the health of your business. Awareness, protection and vigilance are essential for prevention.

FYI, here’s a link to the bulletin offering good advice about how to deal with such a threat and, more important, steps to take to protect your dental practice in the first place. In addition, some great security tips I assembled for last year’s post. Always worth repeating!

3 keys to cyber security: protect, detect and respond

Podcast – Technology experts Bill Dungey, IT Manager at Complete Technology Solutions (CTSIT) and Anthony Horvath, VP of Client Services and Operations at ABELSoft Inc. share real life examples about dealing with cybercrime and the loss of access to valuable data.

Listen to this podcast to hear about current trends in cybercrime and discover what makes you vulnerable to hacking and to malware attacks such as ransomware. In addition, Bill and Anthony discuss some best practices for maintaining privacy and security that will help you protect yourself and/or your business.

Podcast

Pharming and Phishing and Smishing… what next? (re-post)

It seems a week does not go by without news of another hacking incident or privacy breach. Cybercrime is here to stay. I thought it would be helpful to re-post this article from last year to reinforce the importance of cyber vigilance in the practice management arena.

Pharming and Phishing and Smishing… what next?

Three words that did not even exist a couple of years ago – at least not spelled like this – are now mainstream threats. They’re right up there with spam and scams, spoofing and spyware, hacking and botnets, malware, viruses, worms, ransomware, Trojan horses and, yes, WiFi eavesdropping.

I’ve already written about some of these types of cybercrime in this space, in particular the ones that have been known to affect small businesses with big sensitivity to database privacy, like dental practices.

But online fraud is everywhere. I used to think that it was only the naïve non-digital-savvy individuals who got themselves duped with such schemes. No longer. Hackers and scammers are getting more and more sophisticated. Like the recent spate of official-sounding telephone calls directing taxpayers to a spoofed Canada Revenue Agency website to pay re-assessed taxes – that ploy would make most of us sit up and take notice.

So when I came across the Get Cyber Safe website sponsored by Public Safety Canada, I double-checked to make sure it was legit. The site is part of a national public awareness campaign around Internet security and online protection. It is full of great information and advice, from tips to safely dispose of your tech devices to precautions to take when an employee leaves your company. There’s even a downloadable Get Cyber Safe Guide for Small and Medium Businesses and a self-assessment tool that could be quite handy resources.

www.getcybersafe.ca

Even if you don’t have time today to check out this site, at least bookmark it for future reference.

We all need to learn to be skeptical – even if it’s against our nature. We must learn to detect fraud and protect ourselves, our businesses, our patients, our employees and our families from becoming victims of cybercrime.

Ps: I had to look up ‘’smishing’’: it is ‘phishing’ for private information using SMS (texting) rather than email.

Blissfully Exempt from Disaster (today, anyway) but Always Backed Up Just in Case

Here we are between Canadian and American Thanksgiving festivities. I must say, I am thankful every day to wake up exactly where I do. For many reasons, but mostly right now for the reliability of our weather patterns.

It is heartbreaking to watch the wrath of Mother Nature unfold on the news, seeing homes buried in mudslides or people wading through waist-deep flooded offices. Hurricanes and wild fires, tornados and volcanoes. Homes, businesses, highways and entire communities demolished… it seems to be increasingly frequent and alarmingly closer to home.

When I watch the news coverage of these events, I can’t help but wonder how many dental practices might be affected. I worry about customers who have not yet made the time for official data backup and disaster recovery measures. Like insurance payouts that help rebuild, accurately backed-up data and system files can help turn a potential disaster into a minor inconvenience.

We have a contingency plan in place. Do you?

Ransomware: scarier than ever!

Around this time last year, I posted a blog about a couple of dentists whose practices were endangered by sinister ransomware. I reported that the security company McAfee had charted a 165% year-on-year increase in ransomware attacks.

Clearly, this nasty behaviour has not gone away. It is endemic to the point that OntarioMD issued a bulletin to all physicians using Electronic Medical Records systems to be extra-vigilant about security. They’re seeing an escalating trend in ransomware threats and caution that healthcare professionals in particular are being targeted by cybercriminals.

We passed the warning along to our medical customers and want to also share it with our dental customers. The OntarioMD bulletin contains sound advice about how to deal with such a threat and, more important, steps to take to protect your practice in the first place.

Last year’s post had similar tips. Always worth repeating, though, is the reminder that your practice data is your lifeline to the health of your business. Awareness, protection and vigilance are essential for prevention. Maintaining current data and system backup files off site is one great way to thwart cybercriminals and limit ghoulish behaviour to one night per year.