Data Breach Lawsuits on the Rise: Is Your Healthcare Organization Prepared?

In addition to the rise in cyber attacks against hospitals and health systems, another alarming trend is the rise in lawsuits against healthcare organizations following a breach. Some recent examples include:

• Northern Light Health is facing a class-action lawsuit for the Blackbaud breach that affected over 650,000 people (about half the population of Hawaii). This was a global attack targeting the fundraising platforms of over 25,000 organizations. 
  
  
• Two patients filed a lawsuit against Hackensack Meridian Health alleging the health system failed to protect their information from a ransomware attack.
  
  
• Scripps Health is facing a class-action lawsuit for the malware attack that compromised their system’s network.  Plaintiffs are alleging that Scripps failed to properly secure and protect patients’ health information and now face a lifetime risk of identity theft.

While these are some of the higher-profile lawsuits in the industry, organizations of all sizes are facing legal action for data exposure. Lawsuits stem from HIPAA (Health Insurance Portability and Accountability) violations and internal mismanagement of medical records, as well as external attacks. 

Even a small mishap can lead to millions of dollars in damages. To protect their organization, assets, and privacy of their patients, healthcare organizations need to do everything they can to strengthen their cybersecurity posture. 

Protecting your healthcare organization from a lawsuit

As cyber criminals use increasingly sophisticated tactics to access data, it’s vital for healthcare organizations to prevent data breaches by prioritizing cybersecurity. Smart strategies include:

Penetration testing

The first step in preventing breaches and lawsuits is assessing your organization’s security posture. A simulated attack is one of the best ways to do this.

During a penetration test, ethical hackers use both manual and automated techniques mimicking real-world threat actors to demonstrate the impact of successful exploitation of vulnerabilities and misconfigurations of your organization.

This can prove the efficacy of an organization’s ability to prohibit access to your organization’s network, databases, and endpoint devices. The cybersecurity firm then generates a report detailing how the hackers achieved their objectives and what your IT team can do to prevent real-life attacks.

Security awareness training

The reality is that one internal slipup can lead to a data breach, and later, a lawsuit. Mishandling of ePHI and other sensitive information is a significant risk.

Healthcare organizations need to train employees on HIPAA (Health Insurance Portability and Accountability) compliance, patient privacy, email security, password management, and incident response.

Update training modules regularly to reflect current best practices. Cybersecurity is everyone’s responsibility and user training fosters a culture that echoes and enforces that sentiment.

Encrypt sensitive data

If a threat actor gets their hands on patient data, you want to limit what they can do with it. This is where encryption comes in. Encrypting data makes it more difficult for hackers to access the information they are seeking, reducing the risk of data exposure.

Third-party risk management

Security is a factor in every step of the healthcare supply chain, so organizations need to select third-party vendors carefully and assess those chosen routinely. Vulnerabilities in third-party tools or services could lead to a breach within your organization.

A proactive third-party risk management program is essential to spotting these vulnerabilities and choosing vendors that prioritize security.

Mature incident response

Avoiding lawsuits does not only require cybersecurity technology implementations. Organizations should also put a clear incident response plan together and test it. This way, you can take the proper measures when a breach does occur.

Acting to address damages timely and efficiently can reduce the impact of a successful breach, facilitate swift and responsible notification of patients and authorities and ensure compliance with regulatory requirements mitigating costly repercussions.

Stay vigilant

Many cyber criminals target hundreds, if not thousands, of healthcare organizations at a time. IT teams should stay up to date with the latest cyber-attacks and learn the signs of these common data breaches. Notifying employees and third-party vendors of these attacks can also be helpful.  

Leverage outside help

The technology and monitoring required to prevent data breaches can be difficult for in-house IT teams to sustain. Often, IT professionals are too focused on keeping the facilities running to prioritize data loss prevention. This is where outsourced IT comes in. 

A healthcare-focused Managed Security Service Provider can be a valuable partner when it comes to improving your cybersecurity strategy and posture. These professionals can monitor networks and endpoints, spot and prioritize vulnerabilities, provide testing and logging, and kickstart incident response. They will also ensure that your team complies with reporting laws in the event of a cyber incident. 

If the protection “to-do” list seems overwhelming, penetration testing can be a cost-effective place to start. For insights on how to get the most out of a penetration test, watch our on-demand webinar, Rethinking Penetration Testing in the Face of Rising Healthcare Breaches.