It was a busy year for the U.S. Department of Health and Human Services Office for Civil Rights. Those are the people responsible for enforcing the rules under the Health Insurance Portability and Accountability Act (HIPAA) and, according to The HIPAA Journal, it was the worst year in healthcare security because of a rash of big data breaches. In a recent article, The HIPAA Journal reported an “unwanted record” that included new highs of 725 large data breaches and more than 133 million individual protected health records (PHI) during 2023.
Ransomware a Common Theme
At the top of a list of the 26 biggest breaches in healthcare The HIPAA Journal says HCA Healthcare of Tennessee suffered a breach of more than 11 million records when “hackers accessed an external storage location that was used to automatically format emails.” At the other end of that chart, 1.25 million records in the care of Nuance Communications were exposed after the Cl0p malware gang exploited the company’s MOVEit managed file transfer software. That theme was common among the biggest breaches as nine of the affected organizations had their MOVEit platforms compromised and 19 of the 26 were breached because of ransomware attacks.
“Across [the MOVEit] incidents, the data of more than 94 million individuals was stolen,” The HIPAA Journal reported. “Many healthcare providers and business associates were affected, and the top three worst affected companies were HIPAA-regulated entities – Maximus, Welltok, and Delta Dental of California and Affiliates.”
No organization is immune to the data breach plague. Hackers are highly skilled, persistent, and determined; and every organization is staffed by human beings, all of whom are prone to making mistakes. But when healthcare organizations are victimized by a cyberattack, the effect is multiplied. That is because the costs are more than double when compared to the average across all industries globally.
Increasing Costs and Mortality
According to the Ponemon Institute’s gold-standard 2023 Annual Cost of a Data Breach Report (underwritten by IBM), the usual financial hit is $4.45 million, but U.S. healthcare organizations can expect to pay $10.93. But beyond merely financial, when a hospital is successfully attacked by cyber threat actors it seems to correlate with a higher instance of negative patient outcomes. In another Ponemon study, underwritten by cybersecurity company Proofpoint, 57% of healthcare providers surveyed reported “poor patient outcomes due to delays in procedures and tests, 50% saw an increase in medical procedure complications, and 23% experienced increased patient mortality rates.”
With so much at stake, it is imperative that healthcare organizations do what they can to minimize the threat of a data breach, and it is our experience that every hospital and healthcare provider we talk to and work with are doing what they can to keep their networks safe. But with so many systems connected to internal and external assets collecting and moving data, it’s difficult to maintain error free healthcare security. It’s harder when your digital supply chain relies on dozens—if not hundreds—of external partners and vendors as is common in the healthcare industry.
Don’t Ignore the Digital Supply Chain
As we recently discussed on the topic of digital supply chain security, few organizations have a strong grasp on their third-party exposure. In fact, a recent study suggests only 13% monitor their third-party cybersecurity risk. Following the attacks on many managed file transfer products in 2023 we had conversations with several of our customers about requiring that all partners with whom data is transferred standardize their MFT products on SFTP for secure transport and PGP for file encryption.
That’s smart. It’s why our secure-by-design Diplomat MFT managed file transfer solution supports SFTP, PGP, and other features that blend strong security with an easy-to-use interface that makes security second nature rather than prioritizing convenience over security. Some of those features are:
- Data capture for complete auditability (critical for proving HIPAA compliance)
- Process automation to minimize the risk of costly human error
- Recipient confirmation and transfer trouble notifications
- Unlimited concurrent job scheduling
- Enterprise grade file capacity
- Multi-factor authentication
Cost Not a Barrier to Healthcare Security
And we invest constantly in product improvement to make sure that Diplomat MFT is the best it can be, testing for vulnerabilities, and adding new features and capabilities. One of the most important security features Diplomat MFT boasts is its price tag. We have always committed to offering Diplomat MFT at an ethical price that ensures cost is never a barrier to investing in good security.
If you are a healthcare organization (or any organization for that matter) that needs a secure way to send, receive, host, and retrieve your most sensitive information, give us a look. You can test our software for free, or we’d be happy to do a live demo with you and answer your MFT questions. And if you do decide to buy Diplomat MFT, you’ll get to experience our industry-best customer and technical support, too. Get in touch. We’d love to talk to you.