Hacking financial data is old news—cyber criminals are now targeting healthcare, as Brian Stromberg and David McElroy of Riskonnect report.
We are all aware that it is crucial to protect our financial information from potential hacking, but a new threat is looming—hackers are targeting our health information. According to Bloomberg News, criminal attacks against healthcare providers have more than doubled in the past five years. Also, The Washington Post reported 43 percent of data breaches were in the healthcare sector, surpassing those in the business sector for the first time in almost a decade in 2013. But healthcare organizations are ill-prepared to keep up with the increase of cyber attacks, a Bloomberg Business cyberthreat report revealed in May.
Why are hackers now interested in stealing healthcare records instead of financial records? Because our medical records contain much of the data that makes up our identity (social security number, insurance information, credit card data, address) which can all be used in identity theft to obtain credit cards, to use in medical insurance fraud, and to reset account passwords. Cyber attacks in healthcare are big business. It costs the US healthcare system $6 billion a year and puts millions of patients’ data at risk according to a Ponemon study.
A 2014 report by the Center for Strategic and International Studies and McAfee estimated that cybercrime costs the global economy a whopping $400 billion annually with a potential of reaching a staggering $575 billion. In the US alone, some 40 million people had their personal information stolen in 2013.
Why healthcare data?
When a credit card number is stolen, banks can quickly cancel the card and reissue another one. But our medical records contain so much more of our identity. This data is so valuable that it is sold on the black market for $20 to $200 for each record. Selling healthcare data is extremely lucrative. It is big business for hackers and extremely costly to healthcare organizations since failing to secure patient data is a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Healthcare organizations can receive hefty fines since HIPAA violations can cost $100 to $50,000 per incident.
"One way to protect PHI and avoid data breaches is to store your information in the cloud, so that stolen laptops would no longer be a cause for concern."
HIPAA is the national framework for security standards and protection of confidentiality with regard to healthcare data and protected health information (PHI). PHI is any information about the health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual and includes any part of a patient’s medical record or payment history.
Like health, we often take PHI for granted until it is in jeopardy. It is imperative that healthcare organizations consider safeguarding PHI to be just as important as providing the best care for their patients especially since one HIPAA violation could climb into the millions. In addition, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 and addresses the privacy and security concerns associated with the electronic transmission of PHI through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Security v privacy
To better understand how to protect PHI, it is important to know the difference between security and privacy. Security refers to a computing system’s level of resistance to threats. Privacy most often concerns the digital collection, storage, and sharing of information and data, including the transparency of such practices. Since patients see multiple specialists, collaboration among healthcare professionals is a vital part of patient care and using a cloud-based platform lets healthcare providers easily collaborate on a patient’s treatment plan.
Internal data breaches of PHI
Many data breaches come from disgruntled or careless employees. Healthcare IT News reports 46 percent of healthcare security incidents were from theft or loss of unencrypted devices in 2014. In healthcare risk management, one way to protect PHI and avoid data breaches is to store your information in the cloud, so that stolen laptops would no longer be a cause for concern.
Another way to safeguard data is to put in place controls of who has access to the patient’s PHI. For example, your organization’s finance department does not need to know the patient’s medical details or treatment plan and conversely, the medical staff does not need to see the patient’s credit card information.
The solution
Riskonnect’s cloud-based Healthcare Risk Management Platform is designed for the complete handling of healthcare risk management, quality of care, patient safety, and employee management. Users are given access only to the information they need on a ‘need-to-know’ basis.
The system brings together many disparate operations that traditionally have been supported by individual applications. The Riskonnect Healthcare Platform helps support the reduction of risk and ensures safety processes are in place to provide greater attention to areas that will increase patient safety and improve patient outcomes.
Riskonnect, the provider of a premier, enterprise-class technology platform for the risk management industry, is an independent innovator in risk management technology. Riskonnect develops and markets a growing suite of technology solutions on a world-class cloud computing model that is built on the Force.com platform by Salesforce.com.
Security in the cloud
Perhaps you think an on-site server is more secure than the cloud because you can protect the data and prevent it from leaving the server room and resolve any issues that arise. Each year, Salesforce invests millions of dollars in the security of its Force.com platform. An individual organization can rarely invest the expertise, resources, research and development, and money anywhere near the level that Saleforce invests. Plus, Salesforce has data centers all over the world to minimize risk should one server be compromised.
If you are serious about your patients’ data, then you need to rethink the way you store, save, and access that data. Security in the cloud is much safer than in-house servers, especially when two innovative technology firms—Riskonnect and Salesforce.com—have teamed up to provide superior security and are always looking to how they can make their security measures even better.
Force.com
Since Riskonnect is built on the Force.com platform that is provided by Salesforce.com, Riskonnect clients benefit from the tremendous amount of security that Salesforce.com has on Force.com in addition to the security and audits provided by Riskonnect.
Salesforce.com is so committed to securing its platform that it invests more than $825 million each year in security and infrastructure and is the only cloud service provider to achieve the strict Federal Risk and Authorization Management Program (FedRAMP) security authorization as both a Software as a Service (SaaS) and a Platform as a Service (PaaS).
Riskonnect
In addition to the Force.com security, Riskonnect also takes security seriously. Riskonnect has earned the International Standards for Assurance Engagements (ISAE) certification, which is an international certification that demonstrates Riskonnect’s commitment to an even higher standard of security and safety of its data and the data of its clients.
As a global leader in the risk management technology industry, Riskonnect chose to seek the highest level of international audit certification available, whereby all of Riskonnect’s processes from end to end are certified as being the safest and most secure as possible. “Security is important to our organization and business model and to the clients we serve in the risk management industry. As a risk management information system leader in the industry, it is important for us to show our clients that we are committed to the highest standards of security,” said Bob Morrell, CEO and co-founder of Riskonnect.
Security within the platform
Riskonnect’s risk management applications have inherent levels of security. First, users have to have access to the risk management platform also called the Org. Once logged in to the Org, users are granted access to certain objects, which represent database tables that contain your organization’s information. Next, users can be granted access to specific records. Finally, there is field-level security where users can only see the fields pertinent to their role. All of these permissions are managed and maintained by your organization’s designated administrator.
Transparency
Salesforce has nothing to hide about its performance. In fact, it posts its system performance data and maintenance notices at http://trust.salesforce.com. Riskonnect trusts its business to Salesforce; we run much of our business on the Force.com platform.
Conclusion
With the growing trend of healthcare organizations being targeted by hackers, it is not a matter of ‘if’ your organization gets hacked, but ‘when’. You cannot afford to take risks that put your patients’ data and your organization in jeopardy. Riskonnect and Salesforce together are extremely secure and we take security seriously. Salesforce invests in security and infrastructure like no-one else and ultimately Riskonnect has the expertise in risk management solutions you can trust.
For more information about Riskonnect, visit www.riskonnect.com, or email info@riskonnect.com
Brian Stromberg, David McElroy, Riskonnect, US
