Although recent hacking incidents in healthcare have targeted large health insurers, including Anthem and Premera, business associates, self-insured companies and even smaller hospitals should be bracing for attacks as well, says Daniel Berger, president and CEO of the consultancy Redspin, which specializes in risk assessments.
Clearly, larger organizations are at greater risk, Berger says in an interview at the HIMSS 2015 Conference in Chicago.
"Hackers are bad guys, but they're good economists," he says. "By that what I mean is it's all about a rate of return." As a result, hackers will target "large data stores of PHI" to maximize their ability to grab information that they can sell, he says.
That's why Berger says larger business associates that have access to huge amounts of patient information should be concerned about hacker attacks. And he contends that many BAs aren't taking enough steps to protect that information.
Another area of concern, he argues, is self-insured companies that store health information on their employees. "They're typically not thinking about HIPAA," he says, but, indeed, they need to be conducting risk assessments.
Although organized crime groups and nation-states are primarily targeting the larger organizations, Berger says smaller hospitals are likely to be targeted by individual hackers, "someone working out of their basement who decides, 'hey, this is a pretty good deal. It's easy to get in. I can steal 20,000 ... records and monetize them pretty easily.'"
Lessons from Breaches
An important lesson from recent hacking attacks, Berger says, is that "you can't really leave anything out when you develop an information security program. You've got to be testing not only your internal and external network infrastructure - you've got to be testing your Web applications. And you've got to be training your people so that they're not susceptible to phishing or social engineering type of attacks."
When conducting risk assessments, too many organizations take a narrow view, the consultant argues. "So many people claim to do a HIPAA risk assessment today and it's more like a HIPAA checklist," he says. Instead, they need to evaluate threats and vulnerabilities across the entire organization and then take mitigation steps.
In the interview, Berger:
- Offers an overview of healthcare hacking trends;
- Describes how a long-term, multi-step security process can lower risks;
- Outlines common mistakes in risk assessments.
Berger's company, Redspin, was recently acquired by Auxilio, which is best known for its managed print services to healthcare organizations. Before Redspin, Berger spent 25 years in the global networking industry, holding senior sales, marketing and general management positions ranging from the Fortune 500 to start-ups.