The Healthcare Hub

How to Prepare for a Healthcare Hack

  • Director Compliance and Enterprise Risk Management, Privacy Official Connie Emery, Director Compliance and Enterprise Risk Management, Privacy Official
Tuesday, December 20, 2016

For hospitals and health systems today, it’s not a matter of WILL my organization get targeted by hackers but WHEN. Nearly 90 percent of healthcare organizations surveyed by the Ponemon Institute for its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data experienced a data breach in the past two years, and nearly half (45 percent), had more than five data breaches in the same time period.1

If you are a healthcare organization, you need to prepare for responding to a hack. This preparation should include the following:

  • A risk assessment of your organization, including who has access to protected health information (e.g. employees, business associates) and areas where you are vulnerable to an attack (e.g. portable devices such as laptops and smartphones).
  • Training for everyone within your organization on what they need to report (e.g. stolen or lost laptop) and a method for reporting these incidents.
  •  A developed and tested incident response plan that includes:

1. a description of your incident response process including responsible parties

2. a description of your incident analysis and risk assessment process 

3. identification of notification requirements

4. a post-incident analysis and corrective action plan

Just because healthcare data hacking is on the rise doesn’t mean you should just sit back and wait for it to happen to your organization. Be proactive with your data security – audit yourself to uncover areas of vulnerability, determine what data sources are sensitive/valuable, and start with the basics – such as improving the strength of passwords – and work from there toward greater security measures to protect your patients.

Read this case study to learn how Eskenazi Health, a 315-bed hospital in Indianapolis, has improved compliance with the HIPAA Final Omnibus Rule and become better prepared for an OCR audit.



Image Description

Connie Emery

Director Compliance and Enterprise Risk Management, Privacy Official