ORLANDO, Fla. — The security of protected health information is increasingly difficult for EMS organizations in a hyper-connected world. Tiffany Holman, MSHLP, director of privacy and corporate responsibility for AdventHealth, described types of malware and ransomware attacks; how organizations are vulnerable to an attack; and steps EMS leaders and paramedic chiefs need to take to protect data, respond to attack and recover from a data breach at the Pinnacle EMS conference.
Healthcare, local government and public safety agencies are a lucrative target for hackers. Most health information data breaches in recent years haven’t been the work of external actors. Instead, they have been caused primarily by mistakes or security lapses from within healthcare organizations. In a study of more than 1,100 breaches over eight years, more than half were triggered by internal negligence of hospitals, healthcare providers, insurers and other owners of patients’ protected health information (PHI).
Holman described an experience her organization had after a malware attack and data breach to illustrate the importance of policies, reporting to federal and state authorities, and the importance of forming and activating an incident response team. She also discussed the vulnerabilities present in the computers and mobile devices, personally owned devices, and medical devices EMS leaders and providers use every day.
Memorable quotes on privacy and data security
Holman is a passionate advocate for the privacy of protected health information and data security. Here are four memorable quotes from Holman’s presentation:
“The majority of malware attacks are on small businesses. Regardless of your size, no organization is safe.”
“A government (Office of Civil Rights) audit is not the time to create policies. Send them what you have.”
“The cost of a data breach for healthcare organization rose to $408 per patient in 2018.”
“You would be shocked about how many stories I have heard of organizations failing to remove access to PHI of employees that have been terminated.”
Top takeaways on data security in EMS
Recovery from a malware attack or other type of data breach can take six months or more to recover from and is likely to cost an organization $1 million or more. Here are six top takeaways on how to improve privacy and data security in EMS.
1. Know if you have had a breach of privacy information
Holman started by distinguishing malware versus ransomware and then described how to conduct a breach assessment. The recommended steps include a risk assessment of:
-
Nature and extent of PHI involved
-
Was an unauthorized person involved
-
Whether PHI was acquired or viewed
-
Extent to which the risk to PHI was mitigated
2. Don’t pay the ransom
Though many organizations have paid the ransom after a ransomware attack, the FBI recommends not to pay. Holman recommended initial steps of contacting law enforcement and the organization’s legal counsel if an organization is subject to a ransomware attack.
3. Follow federal and state notification procedures
Holman described the Office of Civil Rights reporting and audit process. She also reminded attendees that every state has different rules for notification of regulatory agencies, communicating the breach to consumers and auditing or investigating the breach.
4. Data breaches are expensive
A data breach causes direct costs of $408 per patient record, as well as indirect costs, such as damage to an organization’s reputation. Organizations that contain a data breach within 30 days save an average of $1 million. Holman also pointed out that organizations that had extensive security controls in place before a breach saved an average of $1.5 million. It’s important to have policies and security controls in place, and a plan for quick response if a breach is suspected or known to have happened.
5. Conduct data security training
All personnel should receive training in the organization’s data protection policies and practices. Holman specifically described training and tips to recognize phishing, spear phishing and whaling – a type of phishing that specifically targets c-suite executives and celebrities. Holman gave attendees these tips to identify phishing attempts:
-
Spelling and grammar errors
-
Sense of urgency and/or threatening language
-
Request for personal or company information
-
Suspicious links or attachments
-
Unexpected email and information it contains
6. Cyber handwashing prevents PHI compromise
Be proactive in preventing a data breach. Important cyber handwashing steps described by Holman are:
-
Back up all data
-
Install software patches regularly
-
Conduct phishing tests, especially of senior leadership
-
Force password resets every 3 to 4 months
-
Encrypt all devices that have sensitive information
Learn more about privacy and cybersecurity
To learn more about the importance of privacy and data security, read the articles in the Fitch & Associates Leadership Edge column on EMS1, as well as these articles:
- Why cybersecurity is important for EMS leaders
- 5 questions you should ask about your mobile devices
- 5 no-cost cybersecurity solutions for civic IT
- Top 10 cybersecurity practices for EMS agencies
- Cybersecurity in the EMS workplace
- How EMS computers are vulnerable to cyber attacks
- EMS leaders should expect, prepare for cyberattack