Ransomware, Phishing Attacks Expose a Wealth of Data

A report from Clearwater sheds light on the continued risk careless users pose to healthcare data security, including exposed endpoints, susceptibility to phishing, and improper access.

Hacker attacks, IT mishaps and vendor errors are among the top causes of the largest health data breaches added to the official federal tally so far this year.

A ransomware attack on the operator of non-profit clinics that serve the uninsured in St. Louis led to the breach of information on 152,000 patients, clinicians and employees.

Recent health data breaches involving phishing schemes are reminders of the persistent threat email-related scams pose to healthcare organizations – and the urgent need to mitigate that threat.

What should healthcare organizations know about complying with the breach notification and data security requirements of New York’s SHIELD Act? And how does the new law compare with HIPAA? Jon Moore, chief risk officer at consulting firm Clearwater, explains.

Servers appear to be the Achilles heel of healthcare organizations’ data protection efforts. About 54 percent of all individuals affected by an information breach of a healthcare organizations were impacted by a breach involving that organization’s server, according to data on the breach portal of the Department of Health and Human Services’ Office for Civil Rights, culling security incidents from June 1, 2018, to May 31, 2019. A report this summer from Clearwater’s CyberIntelligence Institute says that, of the breaches in the previous 12 months, 90 healthcare breaches affecting more than 9 million individuals, were related to servers in some way.

Cyber risk management is not an “IT problem”; it is an enterprise risk management matter that can be harnessed into a business enabler.

Reporting requirements of New York’s SHIELD Act go into effect on October 23; healthcare organizations that collect or use personal or private data from state residents will need to be in compliance.