The average cost of a healthcare data breach in the United States is $15 million dollars. The United States experienced more than 40,000 security incidents and 2,000 documented data breaches in 2019 alone, more than 15% of which were in healthcare organizations. This amounted to more than 40,000,000 individuals being affected by healthcare breaches in 2019. These numbers are staggering and pale in comparison to the cost of maintaining your IT infrastructure in an effort to mitigate known risks.
While it is always important for the healthcare industry to be in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”), now more than ever it is imperative that systems no longer run Windows 7. HIPAA’s security provisions and data protections are among the most stringent technology regulations in the US, and the fines for HIPAA violations can be debilitating. Even in times of worldwide uncertainty, criminals do not stop seeking protected information from unsuspecting data handlers. Projects geared toward replacing Windows 7 should continue at all due haste.
As of January 14, 2020, Microsoft no longer offers support for the Windows 7 operating system, which means those systems no longer receive software updates, technical support, and—most importantly—security updates for known vulnerabilities. In order for healthcare organizations to protect sensitive patient data on their systems, they must upgrade legacy Windows 7 systems.
It is an extreme risk for healthcare organizations to continue running Windows 7 on their systems. The lack of security updates on these systems exposes the organization to vulnerabilities that could lead to security breaches. This is a risk that healthcare providers should not ignore, as fines for HIPAA violations can be as much as $1.5 million annually for HIPAA violations.
A data breach is a security incident in which protected information (including protected health information) is accessed without authorization. Protected health information is anything that relates to the past, present, or future physical or mental health or condition of an individual. This includes name, date of birth, credit card numbers, social security numbers, address, any diagnosis information, health plan numbers, and even extends to identifiers such as IP addresses.
The world is currently undergoing a global pandemic that has healthcare providers scrambling to provide necessary care to affected individuals. These extreme circumstances do not mean criminals will offer a reprieve from seeking to steal data. Adding a data breach and corresponding incident response to an already strained organization could be detrimental to the lives of its patients it is so desperately seeking to protect.
Ask yourself this: can your organization afford to ignore the risk?
