For Bankrupted Morehead Hospital, a successful cyber attack could not have come at a worse time. Two weeks after declaring bankruptcy, Morehead now owes up to $1.5 million for HIPAA violations.
It isn't just bad when you're dealing with a bankruptcy, for small and medium size organizations a cyber attack can tip your organization into financial distress.
With ransomware attacks on the rise, healthcare organizations are a prime target for cybercriminals.
Criminals know it has most valuable data, highest fines and therefore are more willing to pay for problems to go away and finally the industry is among the weakest defenders because historically they under-invest in IT infrastructure.
Specifically in the United States where they not only host personally identifiable health care records (which could be used for extortion), there's also financial information linked to name, address, birth date and Social Security Number.
In 1996, the U.S. Department of Health and Human Services implemented Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA. This national standard is causing health care organziations to prioritize the security of their information.
In the United States if you're responsible for compromising healthcare records there are hefty fines. HIPAA is applicable to any organization that has access to identifiable personal health care information including Health Plans, Health Care Providers, Health Care Clearinghouses and Business Associates (an individual who provides services to entity with identifiable health care information).
From 1996 to 2009, the fines were relatively low, there was a maximum of $100 per violation up to $25,000 for the year.
For violations after 2009, the fines have significantly increased. Now the minimum per record violation is $100 and can range to $50,000 per health record.
That's exactly twice the previous yearly cap, per violation. Organizations can face up to a yearly maximum of $1,500,000 in fines for a breach.
So what exactly does it take to be hit with these kind of fines?
Well, Morehead Memorial Hospital was taken down by 2 compromised employee e-mail addresses.
That means out of their staff of a little less than 100, only 2 had fallen victim to a phishing scam. That caused personal information belonging to about 66,000 individuals to be breached.
The timing couldn't have been worse, the breach occurred two weeks after they declared bankruptcy. This brings a whole other level of financial liability into play.
How can organizations of any size combat against that kind of attack?
Building a culture of security.
The healthcare doesn't have to develop a new mindset for dealing with cyber- they've nailed down the importance of washing hands to prevent hospital born infections. It's taking that similarly proactive mindset and applying it to their online processes.
- Educate staff on common social engineering tactics.
- Like a flu shot, immunize your staff through training procedures.
- Have an incident response plan and practice it regularly.
- Test backups regularly
An informed and empowered community makes all the difference.
Contributed by Kathryn Chamberlain. Kathryn is a business development officer at Beauceron and a Venture for Canada fellow. Kathryn holds an honours Bachelor of Commerce with a minor in Mathematics from Mount Allison University ('17). Her research interests include organizational behaviour and culture. She can be found on Twitter @_kachamberlain.
Image curtesey of Fort Rucker /Flickr. Used under Creative Commons License.