Lack of Cybersecurity Policies Affected 1.5 Million Patients
SingHealth, based in Singapore, experienced a healthcare data breach that exposed the protected health information (PHI) of 1.5 million patients. The healthcare organization was aware of vulnerabilities in their server, however, failed to implement cybersecurity policies to address the problem.
SingHealth not only lacked basic protections for its server, they also failed to train employees on cybersecurity. They did not have an incident response plan in place, so employees that detected the cyberthreat, did not know who to report it to. They also failed to implement asset and network management, lacking access logs and multi-factor authentication (MFA). MFA is a means of authenticating individuals users, through the use of a password in combination with another identifier such as a security question or one-time PIN.
The incident may have been avoided, or significantly reduced, if SingHealth had written cybersecurity policies that employees were trained on.
What are Cybersecurity Policies?
Cybersecurity policies are written policies surrounding an organization’s security controls and activities. When drafting cybersecurity policies, healthcare organizations must be aware of the mandates set forth by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires healthcare organizations to secure PHI with technical, physical, and administrative safeguards. The cybersecurity policies implemented at a healthcare organization must incorporate measures to secure PHI.
As discussed in the previous articles in this series, the Department of Health and Human Services (HHS) recommends ten cybersecurity practices that healthcare organizations should implement including:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
When creating cybersecurity policies, there should be measures in place to allow for all of the mentioned cybersecurity practices. When healthcare organizations have cybersecurity policies in place, the risk of experiencing a data breach is mitigated. Additionally, if a breach should occur, written cybersecurity policies facilitates the quick detection and response to incidents, limiting the scope of the breach. However, creating cybersecurity policies are ineffective if employees aren’t trained on how to implement them. All employees should be aware of standard security procedures and how to respond to suspected breaches.
This is Part XI of the XI-part blog series. You can also read Parts I to X below:
Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the eleventh of which is cybersecurity policies. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).
- Phishing Emails and Why Encryption Software is Warranted
- Using Clinical Email (Part II): Secured Email Protection Systems
- Securing your Network (Part III): Endpoint Protection Systems
- Limiting PHI Exposure (Part IV): Access Management
- Data Protection (Part V): Data Loss Prevention
- HIPAA Asset Management (Part VI)
- Network Management (Part VII)
- Vulnerability Management (Part VIII)
- Incident Response (Part IX)
- Medical Device Security (Part X)
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.