10 Tips for Hospitals Looking to Protect Their Data Against Security Breaches

In the last few years, Electronic Health Records (EHR) have become the industry standard for data & patient records, nearly replacing paper records. That’s good news; it’s easier for healthcare organizations to collaborate on patient care, backup files, and ensure seamless communication. According to Healthit.gov, 74% of physicians saw better overall patient care after switching to EHRs, and today, it’s become the standard for hospitals nationwide. Thanks to the digital revolution, all industries, including healthcare, have experienced an explosion of valuable data.

Overall, we can anticipate 44 trillion gigabytes of data in the United States by 2020. Approximately 20 billion devices connect to the Internet, and technology experts expect that number to surge to 30 billion by 2020.

The need for more data centers will also increase as cloud computing expands. With this accumulation of data comes increased risk. The technology that provides medical professionals with fast and easy access to patient information is also a vulnerability that criminals can exploit.

Due to the sensitive nature of patient data, hospitals, and insurance companies are prime targets for cybercriminals. Federal regulations attempt to protect patients by requiring certain standards for storing and protecting records, but many organizations still experience massive data breaches each year.

These breaches not only compromise patient trust and faith in their healthcare providers, but they can also have costly consequences: the average data breach cost in 2017 was $3.62 million. This amounts to $141 per breached record, a relatively minuscule drop from $158 compared to the previous year.

However, cyberattackers are successfully acquiring an increased number of records during each breach. On average, hackers make off with 24,000 records during each incursion.

The total cost of breaches compromised enterprises varies, making it important for information technology officers to understand the potential losses their organization might incur from a cyber attack.

 

Examples of Cyberattacks in Healthcare

2014 Anthem, the second-largest insurer in the United States, was hacked. It was the most significant breach in health care, affecting 80 million records.

This wasn’t information about patients’ vitals or other medical information; it could be used for identity theft. Cyberattackers acquired consumers’ “names, dates of birth, social security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data.”

Large insurance companies provide the most prominent examples of these breaches, but small and medium-sized organizations are regularly hacked. 2017, for example, Plastic Surgery Associates of South Dakota was hit, compromising 10,000 patient records. Facility officials notified affected patients and offered $1 million in identity theft insurance.

The attack caused irreparable damage to the care provider’s information network, highlighting the need to back up data to aid in breach recovery. Enterprises must also conduct regular tests to ensure the backups are complete and ready for deployment.

Cyberattackers go after very specific information that’s easy to resell on the black market. If you’re involved with hospital administration, you can’t just sit back and hope that a breach won’t happen to you. 89% of healthcare organizations have been victims of at least one data breach in the last two years. So, what can hospitals do to protect against breaches? Here are 12 tips that can help reduce risks and minimize damages.

1. Perform a Security Risk Analysis

HIPAA regulations do not dictate how organizations must secure their data but stipulate that effective security measures must always be in place. While the methodology for a data security audit varies by organization, the first step is to clearly define audit objectives, such as expense validation of new data security equipment, developing a report for stakeholders, or identifying network weaknesses among hospital units.

The next step is to gather information about your existing network, including hardware and software resources, organizational policies and procedures regarding information handling, legal requirements, and other variables that affect network security.

The audit should conclude with an assessment of what could happen if the network were breached, how likely a breach is to occur, an outline of organizational values regarding information security, and a synopsis of what was learned during the audit. The Information Systems Audit and Control Association (ISACA) publishes a brief guide outlining the background and steps involved in the practical analysis of enterprise security evaluations.

 

 

2. Understand the Different Causes of Data Breaches

In 2017, 41% of health care data that fell into the wrong hands occurred due to insider error or intentional misuse (for both paper and electronic records); however, the methods of cyberattacking have changed over time.

You can learn the current causes of most data breaches by reviewing publications such as The Association of Corporate Counsel’s Cybersecurity Report, which lists the most common kinds of data security threats along with available resources. Once the most common threats are identified, you must teach staff members how to avoid them.

 

 

3. Train and Educate Staff

Effective defense against cyberattacks requires a multipronged approach. Hospital leaders must start by developing a data security-conscious culture. Also, organizations should run regular tests and drills that simulate hackers’ methods of breaking into a network. Finally, it’s important to publicly acknowledge staff members who follow appropriate data safety protocols. This encourages other staff members to be mindful of their digital activities. Kerpasky, a leading international data security firm, provides a free resource to help enterprise leaders teach employees about cybersecurity.

 

 

4. Establish a Policy for Employees Who Bring Their Own Devices

In a 2014 survey of healthcare executives, 88% of organizations allowed employees to bring their own devices. However, it’s important to establish a “Bring Your Own Device” policy that ensures network security. This process begins with establishing device policies mutually beneficial for employees and the organization. The next step is to provide employees with a list of apps that protect devices from malware and other intrusions. Additionally, the hospital IT department must arrange to keep the apps updated. Finally, it’s essential that all employees are aware of the hospital device policy and informed whenever there are policy updates.

 

 

5. Keep Hospital Devices Bare Bones

Manufacturers frequently ship computers that contain at least one security vulnerability. Many new devices are equipped with “bloatware,” which refers to software that comes pre-installed on the machine but might not be necessary for the purchaser’s needs.

Ensuring that new hospital computers do not contain bloatware is a one-step process: buy computers directly from the manufacturer. For existing devices that contain bloatware, your IT department can clean and install all computers without unnecessary programs, manually remove unnecessary applications, or use Microsoft’s built-in recovery tool to remove all but factory-installed programs and your proprietary files.

 

 

6. Set Up Multifactor Authentication

Most passwords can be easily cracked, and valuable data can be stolen in an instant. 54% of consumers use five or fewer passwords, which can make it easier for hackers to gain access to sensitive information. Multifactor authentication can help prevent cyberattacks by adding an extra layer of security.

The security protocol can take several forms, but it simply means confirming a person’s identity using two or more methods. Traditionally, staff members log into their accounts using a password, which is the first factor.

Therefore, the first step in implementing multifactor authentication is deciding what you need to secure and what you will use as a second identification factor. This can include fingerprint scanning, eye scanning, smart device apps, or other secondary means of accessing an account.

Once you’ve decided, the IT department can install the necessary hardware and software to enable the process.

 

 

7. Ensure That Devices Are Updated Regularly

New vulnerabilities in operating systems and software appear daily. It’s important to install relevant updates as soon as they become available since these updates typically include security fixes and software patches. This process begins with the hospital IT department or consultancy.

Once the IT department has established a plan for monitoring and updating network devices, the IT executive must review this policy regularly regarding technology occurring frequently. The IT department must also periodically check that all enterprise devices have been updated correctly.

 

 

8. Create Regular Backups

 A Becker Hospital Review article reports that as of 2014, only 42% of hospitals were backing up data, and only 10% of those care providers used off-site storage to ensure data safety. The first step in this process is to evaluate vendors that develop hardware and software for data backups.

Next, the IT department will program the software to back up data according to organizational guidelines. This process may change over time as information storage needs and security demands evolve, so an annual review is required to keep backup systems current.

 

 

9. Encrypt All Sensitive Data

Encryption is one of the most powerful tools for keeping data safe. At an enterprise level, some cybersecurity suites already include encryption. However, the first step in implementing this tool is deciding what information your organization needs to encrypt.

After establishing this, you must develop a strategy for continued encryption management. Part of this includes finding an ideal solution for your enterprise. As with all information management protocols, information technology specialists should review this procedure to ensure the practice remains effective.

 

 

10. Create an Action Plan for Potential Attacks

Unfortunately, not all prevention methods will always stop a cyberattack. It’s a good idea to take the attitude of “hope for the best and prepare for the worst.” You’ll want to create a response plan should a breach occur and compromise security. How you respond to a breach—and how quickly—can make a big difference in the cost and outcome of a security breach.

The first step is to create a breach plan. Next, you must educate staff on their roles when a breach occurs. Finally, include the plan in ongoing drills and training to ensure that everyone is prepared and will react appropriately. Not sure how to get started? Here’s a handy checklist from The International Association of Privacy Professionals for creating your response plan.

 

 

Trends in Cybersecurity

 The future of security will be crucial in the medical industry, and health leaders need to be willing to consider the latest cybersecurity technologies. Here are some technologies on the cusp of becoming standard in cybersecurity.

Blockchain

One technology with enormous potential in healthcare cybersecurity is blockchain. The technology revolutionizes the way data is stored and shared. Created to ensure the security and scalability of the popular cryptocurrency Bitcoin, blockchain is now being used in several industries for security and transparency.

Blockchain technology distributes information on what is essentially a public ledger instead of storing it in a central location. When transactions or changes occur, a new “block” is added to the chain. This creates a system that is difficult to falsify or compromise. While blockchain isn’t invulnerable, it is considered much more secure than traditional systems.

Biometrics

Biometrics are also being improved for security applications. What was once a science fiction pipe dream is now becoming a reality. There’s no better way to prove your identity than with your own unique biological features, such as fingerprints. Because they’re so accurate and distinctive, biometrics could one day make it nearly impossible to steal secure data.

Some biometrics developers, like TeleSign, are working on systems that learn a person’s habits and can recognize that person after about 5-10 sessions. TeleSign Director of Product Management Sergi Isasi says that this application has a 95% plus rate of accuracy in distinguishing users from one another.

 

 

Creating a Data-Secure Culture

Education and training are important parts of protecting sensitive patient data. However, unless you begin to create a culture of cybersecurity, the training’s effects won’t last very long. Promoting a culture of cybersecurity starts with awareness.

Many staff members are unaware of the many activities that may seem innocent but might compromise data security. Many employees don’t believe that their actions can cause a data breach—until they do.

Opening an unsolicited email, for example, could allow a virus to gain access to the corporate network, or an innocuous picture sent from an associate’s hacked email account can contain malicious code that could compromise the integrity of enterprise data.

If creating a culture of cybersecurity sounds complex, that’s because it is. Not everyone will willingly come on board, and it takes a lot of committed effort to get everyone on the same page. Many employees don’t think an attack could happen at their workplace when, in reality, it’s the rule rather than the exception.

Setting a good example for employees and insisting on accountability and ongoing compliance are key. By creating a culture of cybersecurity, you can reduce the possibility of an attack and ensure a prepared workforce should the worst happen.

In addition to strict policies, ongoing education and buy-in are essential. Show your employees and leadership why cybersecurity should be one of your organization’s top priorities.

It’s key that the hospital is willing to invest in organizational security and that every employee understands and embraces their role in keeping patient and hospital data safe.