If you think you don’t have data security issues, you’re probably wrong.
In a survey by the Ponemon Institute, 94 percent of health care organizations reported a data breach in the past two years. The firm pegged the cost of such breaches in the U.S. at close to $200 per record.
That would amount to no small drain on the system. Breaches involving more than 29 million patient health records have been reported to the U.S. Secretary of Health and Human Services since 2009, according to a February 2014 study by IT security firm Redspin.
And there’s no sign that the risk will subside anytime soon. Quite the opposite, in fact. Experian wrote in a recent report: “Healthcare, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014.” That’s in part because as the industry grows, so does its “attack surface.”
Understandably, health care professionals prefer to focus on looking after their patients. But organizations that encourage every team member to think a bit more like an IT security analyst stand the best chance of avoiding data breaches and other IT problems.
Here are six IT risks that are well worth your attention:
1. Access Creep
Do employees have access only to the systems and data that they need? As people transfer departments or get promoted, they often get new system privileges — while keeping old ones. Additionally, in some departments and small companies, it can be tempting to give everyone access to everything for the sake of convenience.
But lax access policies increase your risk of data breaches. Take the case of six workers who, according to the Los Angeles Times, lost their jobs last year because they looked at certain patient records at a prominent Los Angeles hospital. (Perhaps not coincidentally, the breach occurred when Kim Kardashian was giving birth at the hospital.) Three community physicians apparently had given their login information to their own employees “in violation of hospital policy,” the Times reported.
The most effective way to deal with access creep is through regular access audits. Make sure that users can log in only to the systems they need to use, and be sure to cut their access to old systems when they change jobs within your organization.
2. Termination Policies
It’s one thing when current staff members have inappropriate access to IT systems. It’s even worse when former employees — who might or might not have left on good terms — still have valid login credentials. If you don’t have a policy of changing passwords and recovering hardware immediately when an employee’s tenure ends, you risk unauthorized access to your systems.
Think carefully about just when to turn off the spigot. A pediatric hospital in Georgia last year fired and sued an executive who turned in her resignation and then, before her last day on the job, allegedly sent patient information and other sensitive data to her personal email account, the Atlanta Business Chronicle reported.
3. Unencrypted Hardware
Laptops and other devices containing personal health information can be lost, stolen, misused or improperly disposed of. If one of these events happens in your organization, you want the data to be unreadable to unauthorized users.
For hardware security, the National Institute of Standards and Technology recommends full-disk encryption, volume and virtual disk encryption or file/folder encryption. Without encryption, you put your patients at risk of medical identity theft and make your organization vulnerable to multi-million-dollar government fines, along with private lawsuits. You also could end up in the embarrassing position of having to notify affected patients, the Department of Health and Human Services and even the media of the breach.
In April 2013, for example, the Department of Veterans Affairs notified more than 7,000 patients that their data was at risk after a laptop containing names, partial Social Security numbers and some medical information was stolen from a Columbia, S.C., facility, according to WIS-TV. Some of the veterans have since sued the government.
4. Cloud Outages
Health care data and processing power are increasingly moving to cloud servers. As electronic health records and other trends cause the amounts of data that organizations deal with to explode, the choice will start to feel more like a requirement. But if the servers you depend on fail, will you experience a business disruption? In health care, the potential consequences go beyond compromised data and lost revenue: Lives could be at stake.
If the cloud server you use encounters trouble because of a natural disaster or for other reasons, the ability for your workload to “fail over” to another geographic location can keep your system running. Highlighting the risks, Amazon.com, which provides cloud services for many firms, has experienced several technical problems in recent years. The worst instance, in April 2011, temporarily knocked hundreds of sites offline, as Wired magazine reported.
5. Unsecure Texting
Physicians text as much as anyone else — and maybe more. Their favored topic, in many cases, is work, and that means that patients’ medical information often makes its way across smartphone screens. This, unfortunately, is not a HIPAA-secure way to transmit protected health information, and it leaves organizations vulnerable to hefty federal fines.
Some hospitals and other health care institutions try to avoid problems by banning text messages and relegating their doctors to pagers. But such measures are not necessary. Secure texting mobile applications provide encryption and other features to ensure that sensitive messages don’t get into the wrong hands — and don’t cause compliance headaches for health care organizations.
Where there’s data, there are hackers. The information that a healthcare organization stores, including medical records and Social Security numbers, is valuable to cybercriminals who can use it for identify theft and other purposes.
In one example from 2012, hackers thought to be working from Eastern Europe made their way into a Medicaid server at the Utah Department of Health, gaining access via claims records to as many as 280,000 Social Security numbers. They apparently exploited a default password to get past various security controls, Computerworld reported.
Unfortunately, there’s no magic bullet to prevent attacks of this type. But a multi-layered approach that includes strong passwords, encryption, thoughtful access policies and staff-wide education on security issues will go a long way toward thwarting malicious IT attacks.