Why is Information Security So Important in Healthcare?

The goal of the healthcare industry has always been to provide quality patient care. To do so, healthcare organizations have invested in state-of-the-art technology and highly-educated personnel, but there’s still one thing that many in the healthcare industry have failed to do: invest in robust information security management programs. In fact, almost on a daily basis, there’s headline after headline reporting of new healthcare data breaches impacting the PHI of hundreds, and often times, millions of patients. This leads us to question: why would someone want to steal healthcare data? Why is it so important that the healthcare industry focuses on information security?

Why Would Someone Want to Steal Healthcare Data?

It’s understandable why a malicious hacker would want to steal financial data. After all, most malicious hackers are after some sort of financial gain. But there’s one critical issue with compromising financial data: card numbers, PINs, account information – it can all be easily changed. When it comes to protected health information (PHI), it’s long-term value makes healthcare data more enticing for malicious hackers to steal and is all the more reason why information security is so important in healthcare.

3 Reasons Why Information Security is So Important in Healthcare

1. The healthcare industry is highly regulated.

The healthcare industry is one of the most regulated industries in America. That’s why we see so many reported breaches in the media and on the OCR’s “wall of shame.” But even despite the HIPAA Security, Privacy, and Breach Notification requirements and various other state laws that require covered entities and business associate to protect PHI, there’s a serious lack of robust information security management programs. In order to provide quality patient care and meet HIPAA requirements, then, covered entities and business associates alike need to heavily invest in the security of their people, processes, and infrastructure as a whole.

2. The healthcare industry is highly dependent on new technologies.

From artificial hearts to mobile applications, the modern healthcare industry wouldn’t be what it is today without advancing technologies. However, as we all know, with new technology that is introduced into an environment, the attack surface increases, and new risks must be accounted for. This goes beyond technologies used in hospitals or other healthcare facilities – medical manufacturers must also take into account the cyber risks associated with their products. For example, something as simple and as medically necessary as an insulin pump, like that of Medtronic, can become vulnerable to a cyberattack and have detrimental effects on a patient’s well being.

3. The healthcare industry is highly reliant on humans.

Week after week, there are reports of data breaches impacting hundreds of healthcare patients, and many of these attacks are the result of human error, such as falling for phishing attempts. Because the healthcare industry relies on humans to provide quality patient care, the risk of experiencing a data breach or security incident becomes much more likely, which is why creating and implementing a robust information security management program must be made a top priority.

It is paramount that covered entities and business associates alike understand why information security is so important to the healthcare industry. To continue providing quality patient care, robust information security management programs must be established and maintained. Want to learn more about how your healthcare organization can meet HIPAA or HITRUST requirements? Need to see if your systems can stand up to an advanced penetration test? Ready to prove to your patients that you can deliver quality patient care? Contact us today.

More Healthcare Resources

Why Would a Healthcare Organization Need a SOC 2?

HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

Business Associate Due Diligence: Lessons Learned from AMCA

5 Ways Business Associates and Covered Entities Can Prepare for HIPAA Compliance

Breach Report 2019 – July

Regardless of the size or industry of organizations, every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during July and the lessons we can learn from them.

Maryland Department of Labor

What Happened?

On July 5, 2019, officials from the Maryland Department of Labor announced that they had experienced a data breach earlier in April that impacted nearly 78,000 individuals who used the department’s unemployment benefits in 2012 or enrolled in the Literacy Works Information System in 2009, 2010, or 2014. The cause? Malicious hackers gained unauthorized access to the Department of Labor’s systems, allowing them to steal personally identifiable information such as names, Social Security Numbers, and dates of birth. In an interview with The Washington Post, Fallon Pearre, a spokeswoman for the Department of Labor said that “the state does not believe any of the information was misused.”

Lessons Learned

Maryland’s Department of Labor breach is just another example of the dire need for municipal governments to implement robust cybersecurity strategies. When a government entity becomes compromised, critical systems can be shut down and citizens’ livelihoods can be greatly impacted. It is up to city officials to ensure that information security best practices are followed by all employees and that effective cybersecurity policies are in place to locate and remediate any vulnerabilities that can be exploited by malicious hackers.

Los Angeles County Department of Health Services

What Happened?

Yet another municipal government agency experienced a data breach after one of its contractors, the Nemadji Research Corp., fell victim to a phishing attempt. The Los Angeles Times reported that a malicious individual was able to gain access to a Nemadji’s email account that included encryption keys, allowing the hacker to access the PHI, including names, Social Security Numbers, and addresses of nearly 14,600 patients.

Lessons Learned

Like Maryland’s Department of Labor data breach, Los Angeles County Department of Health Services’ also underscores just how important having robust cybersecurity strategies are for municipal governments, especially when it comes to working with third-party vendors. It also points to the need for municipal governments to perform thorough risk assessments of third-party vendors in order to mitigate and risk-rank the potential threats associated with working with third-party vendors.

Northwood – Equipment Benefits Administrator

What Happened?

According to HIPAA Journal, a Michigan-based business associate, Northwood, Inc., reported that it discovered that an employee’s email account had been compromised. After investigating the incident, Northwood was not able to determine which emails were viewed or opened by the hacker, but they did determine that patients’ PHI had been exposed, which included addresses, dates of birth, provider names, dates of service, medical record numbers, patient ID numbers, diagnosis and diagnosis codes, medical device descriptions, treatment information, and health plan membership numbers.

Lessons Learned

It is no secret that phishing attempts are amongst the largest threats to the healthcare industry. Nearly every month, there are data breach reports highlighting new covered entities and business associates that fell victim to phishing attacks. It is paramount that all healthcare organizations, regardless of services offered or size, to implement security awareness training for all employees. When employees know how to effectively identify and report suspicious emails, links, and attachments, they are less likely to fall for the increasingly advanced phishing attacks malicious hackers are so likely to use.

Sprint

What Happened?

In mid-July, Sprint announced that the “add a line” feature on Samsung’s website was breached, putting users at risk for a plethora of security concerns. While the exact number of impacted individuals still remains unknown, the malicious hackers were able to access PII including names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, and add-on services.

Lessons Learned

According to Verizon’s 2019 DBIR, web applications are the top hacking vector in breaches. This means that securing web applications must be made a top priority amongst organizations, especially those that handle such critical information like Sprint. To combat the advancing cybersecurity threats facing web applications, organizations should consider undergoing regular penetration tests, like those offered by KirkpatrickPrice, to ensure the security of their web applications.

Capital One

What Happened?

Perhaps one of the most startling data breaches announced this month comes from Capital One, where a malicious user, identified as a Seattle-based woman, Paige Thompson, illegally accessed and downloaded the PII of 106 million Capital One users. According to a statement released by Capital One earlier this week, that data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers. Capital One explains that it has been determined that no credit card account numbers or log-in credentials were compromised; however, the investigation is still ongoing. Thompson has since been arrested by the FBI.

Lessons Learned

This massive data breach highlights a few critical takeaways. The first two being the very real risk of insider threats, especially once employees are terminated or resign, and the dire need to implement effective incident response plans to mitigate data breaches and notify effected parties as soon as they are discovered. KrebsOnSecurity reported that Thompson was a former employee of the web hosting company involved and “allegedly used web application firewall credentials to obtain privilege escalation”. However, because Capital One has an established outlet for receiving potential data breach intel, they were able to move quickly and respond to the breach once they learned about it. In addition, this breach underscores just how vulnerable cloud environments are to malicious hackers. While many organizations who migrate their data to the cloud, either out of ignorance or lack of understanding of the technology, believe that their cloud service provider is solely responsible for protecting their sensitive assets, they aren’t. Both the cloud service provider and the entity using the cloud must work together to ensure internal controls are in place and operating effectively.

Update: AMCA Data Breach

While we reported on the AMCA data breach last month, developments continue to arise as more and more organizations come forward to report how their clients have been impacted by the breach. According to  ISMG Network, “At least nine more companies in the last few days have revealed that have been notified by AMCA that the data on a combined total of nearly 1 million of their patients was potentially exposed by a data breach the debt collector discovered on March 21.” The organizations with the highest number of patients impacted includes American Esoteric Laboratories, CBL Path, Inc., Laboratory Medicine Consultants, and Austin Pathology Associates.

Whether it’s municipal governments or a private healthcare collection’s agency, at KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.

4 Reasons to Start a PCI Audit Right Now

Let’s face it: our society is becoming more reliant on cashless payment systems, from payment cards to contactless pay. With this digital focus, the security of cardholder data is top of mind to consumers. In fact, according to Pew Research Center, “41% of Americans have encountered fraudulent charges on their credit cards.” If your business cannot prove that your services are secure, why would consumers choose to do business with you when there’s hundreds of others who will protect their cardholder data? Has your business been hesitant to start a PCI audit? Let’s discuss a few reasons why you should stop waiting and start a PCI audit right now.

1. Because You’re Required To

The first, and most obvious reason, why you would start a PCI audit is because you are required to. If your business is a merchant, service provider, and/or subservice providers that stores, transmits, or processes cardholder data, including credit, debit, or other payment cards, then you are are required to adhere to the PCI DSS.

When we partner with business on their PCI compliance journey, though, we want their intention to be more than just a requirement. We want to partner with businesses who are committed to securing the cardholder data that they are responsible for. When clients start a PCI audit for the very first time, we often hear, “Do we really have to do this? Why do we have to go through this audit? Will we pass or fail? How can PCI compliance actually help our business?” After a few audit cycles, though, the denial and hesitancy are replaced with appreciation and preparedness. If the only reason why you want to start a PCI audit is to check compliance off on a list, we want to help you get out of the checkbox mentality and fully reap the benefits of PCI compliance.

2. Because Your Brand Depends on It

What are the brands that you use on a daily basis? Where do you shop, eat, or visit? What websites store your cardholder data? If one of the brands you trust had a breach that compromised cardholder data, would you continue entrusting them with yours?

Take Uber, for example. As an app that facilitates 14 million rides each day and stores 91 million users’ cardholder data, it’s crucial to their brand that they demonstrate a high level of due diligence when it comes to data security. Although Uber’s 2016 breach did not compromise cardholder data, the fact that hackers stole other types of personal information (phone numbers, email addresses, names, driver’s license numbers) took a massive toll on the ride-sharing giant’s reputation. If they can’t protect a driver’s license number, how can they protect cardholder data? Even the New York Times pointed out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.”

Does your brand depend on cardholder data security? Could PCI compliance enhance your brand? That’s just one more reason to start a PCI audit.

3. Because It Opens Up More Business Opportunities

Do you have a major deal riding on the fact that you’ve agreed to start a PCI audit? We hear this often from clients, especially from startups, that haven’t made PCI compliance a priority, but now a game-changing deal depends up on it. This is a clear reason to start a PCI audit, but the benefits go beyond that single deal.

Once you obtain PCI compliance, it can open up bigger and better business opportunities for you. It can give you a competitive advantage over competitors who haven’t pursued this compliance goal yet. It boosts your loyal customers’ confidence. PCI compliance can be incorporated into sales conversation and marketing plans. Why wait any longer to start a PCI audit?

4. Because of Cardholder Data Security

What people, processes, or technology have access to your cardholder data? How many transactions do you facilitate annually? What network segmentation controls do you implement? How many payment applications are in use? What assets could impact the security of your cardholder data environment? These are the types of questions you must think about when considering how you secure cardholder data. Are you doing your due diligence? Or do you need to be tested against the PCI requirements?

Demonstrating your PCI compliance instills trust with your customers, prospects, and business partners. Take the next step in cardholder data security and start a PCI audit.

Need more reasons to start a PCI audit right now? Let our Information Security Specialists convince you. Contact us today.

More PCI Resources

Beginner’s Guide to PCI Compliance

What Type of Compliance is Right for You?

When Will You See the Benefit of an Audit?

5 Ways Startups Can Ensure a Smoother Audit

At KirkpatrickPrice, we’ve been fortunate enough to work with companies of all sizes – from startups to enterprise-level companies. By working with a variety of clientele, we’ve seen many different pitfalls that organizations are prone to, especially startups. As an organization committed to helping our clients get the most out of our thorough information security assurance services, we’ve put together a list of five ways startups can ensure a smoother audit. Let’s discuss.

1. Get C-level Buy-in

While undergoing an information security audit is a highly technical process, it also largely relies on the mentality and intent behind engaging in an audit. Why did your organization pursue compliance? Were you asked by a client to become SOC 1 or SOC 2 compliant? Are you doing it to be proactive and position yourself as a secure organization? Are you just doing it to check an item off a to-do list? If you go into an audit with the mentality that it is just an item to check of a to-do list, you’re already at a disadvantage and most likely won’t reap all of the benefits of compliance. Instead, your C-level executives must understand why the company needs to invest in information security audits and how it can help improve the company as a whole. A large part of this also means that an organization’s C-level executives are involved in the audit process. This means that they don’t merely pass off the engagement to directors or department heads, and they have a clear stake in the outcome of the audit by being the executive sponsor.

2. Assign Someone to Oversee the Project, but Ensure that the Workload is Assigned Appropriately

Audit engagements are no small feat, and for startups in particular, the process may seem even more daunting. That’s why we require organizations to identify an executive sponsor – someone who is responsible for overseeing the audit engagement and serves as the main point of contact for your organization throughout the entire engagement. However, while we feel that having one person overseeing the entire project is paramount, that does not mean that other critical members of your organization should be excluded from the engagement. Often times, you’ll need various department heads to answer questions about policies and procedures or internal controls. This is why our Online Audit Manager (OAM) can help make your audit process even smoother: it allows executive sponsors to assign questions to various people within an organization, preventing one person from being responsible for answering all of the audit questions and helping you distribute the workload evenly.

3. Communicate Regularly

There are a lot of moving parts during an audit engagement, especially if multiple people or teams are involved. Communication must be highly effective and clear to ensure a smoother audit for startups. Major key players in the audit engagement should be communicating on a regular basis. If an auditor hasn’t received required documentation on time, who will ensure that is addressed? If a vulnerability is found and communicated to one person on the team but not another, that could delay the audit process altogether. To prevent delays in your engagement, there needs to be a clear line of communication both within your organization and between your organization and your audit firm.

4. Stay on Schedule

When organizations partner with us to perform their audits, one of the most frequently asked questions we get is, “Can we get our report by X date?” While we are committed to staying on schedule and delivering projects on time, the audit process is a two-way street. If your organization puts off answering questions or providing documentation in the OAM, it will only prolong the engagement. This could be especially problematic for organizations who have hard deadlines for their compliance efforts or deals relying on their audit engagement. Ultimately, creating and sticking to a schedule is absolutely necessary in order to ensure a smoother audit process. For example, this might mean that you commit to answering 20 questions a day to stay on or ahead of schedule. Additionally, our OAM goes a step further to help our clients stay on track by displaying a progress-tracking bar.

5. Utilize Your Auditor and Your Audit Firm’s Resources

When choosing an audit firm, startups need to be sure to work with a firm that does more than provide audits: they need to choose a partner and someone who will guide them every step of the way throughout the audit engagement. Feel like you don’t know how to remediate vulnerabilities? Consult with your auditor on remediation strategies. Not sure what your auditor is requiring or what is being asked of you to provide? Your auditor should be able to provide clarification and company resources to reference. If you want to ensure a smoother audit, be sure to utilize your auditor and your audit firm’s resources.

Startups who invest in information security audits are doing what’s necessary to position themselves as secure entities, and we want to make sure that they get the most out of that investment. Let’s talk about how we can help you ensure a smoother audit process. Contact us today.

More Resources for Startups

How to Lead a Cybersecurity Initiative

You’re a Target for Cyber Attacks No Matter Your Business Size

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

5 Security Pitfalls That Startups Should Avoid

When an entrepreneur sets out on a new business venture, there’s typically many things to take into consideration and many pitfalls to avoid. How will you raise the capital needed to get the company off the ground? Who will be a part of the team? What can you do to ensure that your products or services are ready for market? While all of these considerations are critical to the success of a startup, there’s also many pitfalls that startups must avoid, especially when it comes to information security. At KirkpatrickPrice, we believe that those pitfalls boil down to five key areas.

Not Investing in Information Security from the Start

When we say “invest in information security,” we’re alluding to two things: a personnel investment and a financial investment in a robust information security program. We often emphasize the importance of establishing a culture of compliance from the start, and this especially applies to startups because of their limited number of personnel. If an organization has five employees and only one of those employees advocates for the need to implement a robust information security program, chances are, it won’t be made a priority. If all of the executives or members of a startup are on board with information security from the start of the company, there’s a greater chance for a startup to mitigate the risks they’re faced with and, ultimately, become a successful, secure business.

Failing to Create and Implement Effective Policies and Procedures

For startups who don’t invest in information security from the start, they’ll often experience a domino effect that leads to other pitfalls. In many cases, this means that startups will fail to create and implement effective policies and procedures. But here’s what startups must understand: robust documentation of information security policies, standards, and procedures is one of the hallmarks of an effective information security program. Startups may think that because their organization is so small, they don’t need policies and procedures because they know who is taking on what responsibility. If a startup wants to position itself as a secure entity, then they must be sure to create and implement effective policies and procedures.

Not Securing Work Spaces

Many startups are now relying on shared or coworking spaces, or even have their employees working remotely full-time. What many startups don’t take into account is the information and cybersecurity risks that come with working in coworking spaces or remote environments, and they often neglect to train their employees on best practices for working remotely.

Not Establishing Effective Business Continuity and Disaster Recovery Plans

According to the Verizon 2019 Data Breach Investigations Report, 43% of small businesses experience cyber attacks. This means that no matter which industry you’re in, there are sensitive assets that can and will be stolen by malicious hackers, so startups must make it a priority to establish and practice effective business continuity and disaster recovery plans. What would happen if a natural disaster impacted your startup’s service offerings? What if an unauthorized individual compromised your network via a phishing attempt and held your organization’s sensitive data for ransom? Would you be able to recover?

Not Planning for the Future

It’s every entrepreneur’s dream to have a successful business, but when startups fail to plan for the future and don’t understand how they need to scale their information security program as their needs and risks evolve, they become more likely to experience data breaches. In other words, an information security program at the start of a company should not be the same information security program ten years later. When developing a business model then, startups must take into account how they plan to scale their business and how their information security program will evolve over time.

Startups are faced with enough challenges during the first years in business. Don’t let information security be one of them. Learn more about how you can avoid these pitfalls by contacting us today to speak to one of our Information Security Specialists or to learn more about how our services can help you ensure the security of your business.

More Resources for Startups

How to Lead a Cybersecurity Initiative

Top 4 Information Security Concerns for Shared Working Spaces

You’re a Target for Cyber Attacks No Matter Your Business Size

Getting Executives on Board with Information Security Needs