Youโve probably heard of the major healthcare breach that happened last February and has been in the news since. You may have even been affected by it. What you may not realize, though, is that itโs since become the largest healthcare breach in US history. In late October, multiple news outlets reported that the breach has now impacted 100 million Americans. Think about that. Thatโs nearly one-third of the entire US population.
Even if you werenโt directly affected, chances are you know someone who was. So, what can we learn from this? If youโre a leader at a hospital or other healthcare organization, this historic breach offers valuable cybersecurity lessons we should all pay attention to.
What We Can Learn from the Breach
Now, as months have passed since the incident and we know more about what happened that fateful day, we can look back and see what went wrong. What could have been done differently? Hereโs what we can learn.
1. Use Multi-Factor Authentication: Hackers infiltrated the healthcare service providerโs systems through a user account that didnโt enable multi-factor authentication (MFA). In other words, this breach was completely preventable. If youโre a healthcare leader, you might worry that getting all your staff and users to adopt MFA is tedious or too complex. Thatโs far from the truth. Implementing MFA is relatively simple. Most IT systems already support it, and you can roll it out in phases, starting with your high-risk users and critical systems.
2. Implement a Baseline of Cybersecurity Best Practices: The lack of MFA on a user account highlights a broader issueโthe organization was missing basic cybersecurity protections. Given that data breaches cause more financial damage in healthcare than any other industry, this oversight is inexcusable. The industry is clearly a target for hackers, making it essential to have a baseline of cybersecurity practices in place. So, what can you do? Start with the essentials. Regularly update your software and systems, encrypt sensitive data, and train employees to recognize phishing attempts. When combined with MFA, these practices create a strong foundation to protect your organization from cyber threats.
3. Protect Critical Vulnerability Points: The lack of a basic cybersecurity feature like MFA suggests the organization likely didnโt have a strategy to protect their systems in general. So, once youโve implemented baseline cybersecurity practices, itโs time to go deeper and identify the biggest weaknesses in your defenses. Not all systems are equally at risk. Focus on those that handle sensitive data, like patient records or claims processing, which are prime targets for hackers. If youโre unsure where to start, conduct a risk assessment to pinpoint your most vulnerable systems. Then, prioritize these areas for additional safeguards, like encryption, monitoring, and extra access controls. Strengthening these high-risk points better prepares your organization to withstand cyberattacks.
4. Act Fast to Contain the Fallout: Itโs easy to fall into the trap of thinking, โA cybersecurity breach will never happen to us.โ The danger of this mindset is you may neglect to prepare an action plan for potential incidents. What would you do if your organization were breached? While the impacted healthcare service provider did announce they were experiencing a โcybersecurity issueโ on the day of the incident, it took their parent company eight days to confirm it was a ransomware attack. In the meantime, ripple effects were felt across the industry. Payments and claims were delayed, some patients couldnโt access their prescriptions, and others had to pay out of pocket. The lesson here is to be prepared. Develop an incident response plan that includes rapid breach assessment, stakeholder notifications, and timely communication with partners and regulators. Acting swiftly can help mitigate damage not only for your organization but also for the broader healthcare ecosystem.
Choose Your Healthcare Partners Wisely
With the breach impacting around 100 million people, the healthcare service provider was a key player in our healthcare system. They linked hundreds of thousands of doctors and hospitals to payers, making their cybersecurity failures all the more damaging.
When selecting a healthcare partner, prioritize those that take cybersecurity seriously. How can you identify them? Look for certifications like HITRUST, SOC 2, ISO 27001, PCI DSS, and NIST CSF, which demonstrate a strong commitment to security and protecting patient and client data.
In your search for a reputable partner, shortlist those that have case studies of their success and train their employees on cybersecurity. Since human error remains one of the leading causes of breaches, a well-trained staff is a vital line of defense.
Protect Your Organization, Patients, and Reputation
A security breach can be disastrous for any healthcare organization. Not surprisingly, the large healthcare service provider is still grappling with the fallout from the February incident. Theyโve lost customers, faced dozens of lawsuits, and their reputation may be permanently damaged. Donโt put your business at risk to suffer similar consequences. Protect your organization by adopting robust cybersecurity practices and partnering with organizations who take security seriously. If youโre looking to optimize your revenue cycle, GeBBS may be just the partner you need. We donโt just excel in revenue cycle managementโwe also prioritize cybersecurity. We hold all the certifications and have implemented all the practices mentioned in this article, so you can sleep soundly knowing your data is safe. Contact us today to improve your cash flow, reduce denials, and streamline your revenue cycle.