Mitigating the Risk of a Data Breach – How Healthcare Providers Address Sophisticated Hacker Collectives
Reading Time: 3 minutes
Modern healthcare providers who utilize cutting-edge technology to obtain, store, analyze, and access patient data can operate with unprecedented efficiency to obtain a competitive edge in the healthcare marketplace. These benefits do not come without a cost – the cost of protecting your business and data from cybercriminals. For a healthcare provider to maintain its competitive edge and safeguard patient trust, it must understand the evolving tactics employed by cybercriminals and take proactive measures to protect Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) from these malicious actors.
Understanding Cyberthreats
Any healthcare provider that fails to effectively protect PII and PHI may be subject to significant legal liability and exposure. For a healthcare provider to effectively protect itself from cybercriminals, it must understand the specific methods or strategies cybercriminals may use to access the provider’s PII and PHI.
1. Secure Physical Data Storage Devices
While cybersecurity is often discussed in the context of firewalls and encryption, providers should not underestimate the necessity and value of physical security. Data compression and technological advancements in data storage capacity have resulted in a reality where the compromise of only a few data storage devices could compromise the PII and PHI of thousands of patients and medical consumers. For example, in Kuss v. American Homepatient 2020 WL 7406744 at *1 (M.D. Fla. 2020) the physical burglary of only a few hard drives resulted in the purported exposure of 13,709 patient’s PII and PHI and an associated class-action lawsuit against the healthcare provider. Healthcare providers should implement stringent physical security protocols to prevent unauthorized access to patient data and data storage devices.
2. Train Against Phishing Attacks
Slightly more sophisticated cybercriminals seeking to compromise patient data will initiate targeted phishing attacks. For example, in Martinez v. NCH Healthcare Sys., Inc., 2020 WL 8679632, at *1 (M.D. Fla. 2020) the PII and PHI of 63,581 medical consumers was purportedly subject to unauthorized access when several of the healthcare provider’s employees allegedly fell victim to targeted phishing attacks. Specifically, several healthcare employees engaged with phishing emails granting the cybercriminals access to otherwise protected information. Regular training sessions and simulated phishing exercises can sharpen employee awareness, reducing the likelihood of falling victim to targeted phishing attacks.
3. Ransomware Attacks
In Desue v. 20/20 Eye Care Network, Inc., 2022 WL 796367, at *1 (S.D. Fla. 2022) the PII and PHI of more than 3.2 million health plan members was purportedly subject to unauthorized access. In Desue, a ransomware attack resulted in the data at issue being held by the cybercriminals. While some healthcare providers pay ransoms to retrieve data that is being held by these cybercriminals, others have opted to refrain from capitulating to demands. Ensuring data is adequately anonymized and encrypted and that backups exist provide some prudent healthcare providers with options in the face of ransomware attacks.
Understanding Legal Liability
The digital age offers unprecedented opportunities and formidable challenges for healthcare providers seeking to take advantage of these technologies at scale. By understanding the evolving tactics of cybercriminals and implementing targeted defense strategies, providers can protect patient data and protect themselves from the associated liability. Healthcare providers should consult with competent legal counsel to ensure they are adequately protecting patient data, complying with their statutory obligations, and are minimizing their legal exposure in the event of a data breach.
Unique cyberthreats require specific approaches and subject healthcare providers to varying legal standards. In the event of a data breach, swift and informed action is paramount. Medical providers should seek competent legal counsel immediately to ensure they are adequately fulfilling their statutory notice obligations and minimizing their legal liability.