HIPAA Journal published their list of the largest Healthcare Data Breaches for 2020 and it shows a troubling trend over the past 10 years. In 2010, there were 199 reported breaches. That number increased to 616 reported healthcare breaches in 2020. These numbers are on the conservative side because they only include breaches of more than 500 records. Healthcare organizations are only legally required to announce a data breach at this amount.
We can only imagine, how many breaches occurred with healthcare organizations that were under 500 records?
A number of the listed healthcare organizations were affected by a data breach at their software service provider, Blackbaud. The ransomware attack affected approximately 8 million records. This type of risk shows how critical it is to verify all appropriate security protections are in place before engaging with a provider of services. Blackbaud’s ransomware attack affected more than the healthcare industry, they also provided services to educational institutions that fell victim to data loss. To put this into perspective, Blackbaud had to navigate the Health Insurance Portability and Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA) requirements—both of which have strong policies to protect Personally Identifiable Information (PII) and Protected Health Information (PHI).
The Takeaway
In today’s digital age, we must recognize how quickly technology is being integrated into healthcare organizations. As in most industries, healthcare organizations are deciding to offload managed services to better serve their patients.
Unfortunately, proper due diligence is not considered when deciding what service provider will be used. The cost typically becomes the biggest factor when deciding on the preferred provider, whereas it should be a combination of risk posture and tolerance in addition to the cost.
Additionally, when negotiating with service providers, healthcare organizations need to ensure that an initial security impact analysis will be performed and assessed periodically. This will make sure that the organization is properly maintaining all security-related controls and that new risks have not been introduced since the prior assessment.
If you have questions about cybersecurity and how to safeguard your organization, contact us. Slate Enclave is the trusted partner for custom security solutions, tailored to your business. Our team performs audits for organizations to determine where their security systems are deficient and how to mitigate these deficiencies.