In the last few years, Electronic Health Records (EHR) have become the industry standard for data & patient records, nearly replacing paper records. That’s good news; it’s easier for healthcare organizations to collaborate on patient care, back up files, and ensure seamless communication. According to Healthit.gov, 74% of physicians saw better overall patient care after switching over to EHRs, and today, it’s become the standard for hospitals all over the country. Thanks to the digital revolution, all industries, including healthcare, have experienced an explosion of valuable data.
Overall, we can anticipate 44 trillion gigabytes of data in the United States by 2020. There are approximately 20 billion devices that connect to the Internet, and technology experts expect that number to surge to 30 billion by the year 2020.
As cloud computing expands, the need for more data centers will increase as well. With this accumulation of data comes increased risk. The technology that provides medical professionals with fast and easy access to patient information is also a vulnerability the criminals can exploit.
Due to the sensitive nature of patient data, hospitals and insurance companies are prime targets for cybercriminals. Federal regulations attempt to protect patients by requiring certain standards for storing and protecting records, but many organizations still experience massive data breaches each year.
These breaches not only compromise patient trust and faith in their health care providers, but they can also have costly consequences: the average cost of a data breach in 2017 was $3.62 million. This amounts to $141 per breached record, a relatively minuscule drop from $158 compared to the previous year.
However, cyberattackers are successfully acquiring an increased number of records during each breach. On average, hackers make off with 24,000 records during each incursion.
The totals that breaches cost compromised enterprises individually varies, making it important for information technology officers to understand the potential losses that their organization might incur due to a cyber attack.
Examples of Cyberattacks in Health care
In 2014, Anthem, the second-largest insurer in the United States, was hacked. It was the largest breach in health care, affecting 80 million records.
This wasn’t information about patients’ vitals or other medical information; it was information that could be used in identity theft. Cyberattackers acquired consumers’ “names, dates of birth, social security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data.”
Large insurance companies provide the biggest examples of these breaches, but small and medium-sized organizations are regularly hacked too. In 2017, for example, Plastic Surgery Associates of South Dakota was hit, compromising 10,000 patient records. Facility officials notified affected patients and offered $1 million in identity theft insurance.
The attack caused irreparable damage to the care provider’s information network, highlighting the need to back up data to aid in breach recovery. Enterprises must also conduct regular tests to ensure that the backups are complete and ready for deployment.
Cyberattackers go after very specific information that’s easy to resell on the black market. If you’re involved with hospital administration, you can’t just sit back and hope that a breach won’t happen to you. 89% of health care organizations have been victim to at least one data breach in the last two years. So, what can hospitals do to protect against breaches? Here are 12 tips that can help reduce risks and minimize damages.
- Perform a Security Risk Analysis
HIPAA regulations do not dictate how organizations must secure their data, but they do stipulate that effective security measures must always be in place. While the methodology for a data security audit varies by organization, the first step is to clearly define audit objectives, for example, expense validation of new data security equipment, developing a report for stakeholders or identifying network weaknesses among hospital units.
The next step is to gather information about your existing network, including hardware and software resources, organizational policies and procedures regarding information handling, legal requirements and other variables that affect network security.
The audit should conclude with an assessment of what could happen if the network were breached, how likely a breach is to occur, an outline of organizational values regarding information security and a synopsis of what was learned during the audit. The Information Systems Audit and Control Association (ISACA) publishes a relatively brief guide that outlines the background and the steps involved in effective analysis of enterprise security evaluations.
- Understand the Different Causes of Data Breaches
In 2017, 41% of the cases of health care data falling into the wrong hands on occurred due to insider error or intentional misuse (for both paper and electronic records). However, the methods that cyberattackers use to infiltrate networks may change over time.
You can learn the current causes of most data breaches by reviewing publications such as The Association of Corporate Counsel’s Cybersecurity Report, which lists the most common kinds of data security threats along with available resources. Once the most common threats are identified, you must teach staff members how to avoid them.
- Train and Educate Staff
Effective defense against cyberattacks requires a multipronged approach. Hospitals leaders must start the process by developing a data security-conscious culture. Also, organizations should run regular tests and drills that simulate that methods that hackers may use to break into a network. Finally, it’s important for you to publicly acknowledge staff members who follow appropriate data safety protocols. This encourages other staff members to be mindful of their digital activities. Kerpasky, a leading international data security firm, provides a free resource to help enterprise leaders teach employees about cybersecurity.
- Establish a Policy for Employees Who Bring Their Own Devices
In a 2014 survey of healthcare executives, 88% of organizations allowed employees to bring their own devices. However, it’s important to establish a “Bring Your Own Device” policy that ensures network security. This process begins with establishing device policies that are mutually beneficial for employees and the organization. The next step is to provide employees with a list of apps that protect devices from malware and other intrusions. Additionally, the hospital IT department must arrange to keep the apps updated. Finally, it’s important that all employees are aware of the hospital device policy and informed whenever there are policy updates.
- Keep Hospital Devices Bare Bones
Manufacturers frequently ship computers that contain at least security vulnerability. A lot of new devices are equipped with “bloatware,” which refers to software that comes pre-installed on the machine, but might not be necessary for the purchaser’s needs.
Ensuring that new hospital computers do not contain bloatware is a one-step process: buy computers directly from the manufacturer. For existing devices that contain bloatware, your IT department can do a clean install of all computers without unnecessary programs, manually remove unnecessary applications or use Microsoft’s built-in recovery tool to remove all but factory installed programs and your proprietary files.
- Set Up Multifactor Authentication
Most passwords can be easily cracked, and in an instant, valuable data can be stolen. 54% of consumers use five or fewer passwords, which can make it easier for hackers to gain access to sensitive information. Multifactor authentication can help prevent cyberattacks by adding an extra layer to security.
The security protocol can take several forms, but it simply means confirming a person’s identity by two or more methods. Traditionally, staff members log into their accounts using a password. This is the first factor.
Therefore, the first step for implementing multifactor authentication is deciding what you need to secure and what will use as a second identification factor, which can include fingerprint scanning, eye scanning, smart device apps or other secondary means to access an account.
Once you’ve made this decision, the IT department can install the necessary hardware and software to enable the process.
- Ensure That Devices Are Updated Regularly
New vulnerabilities in operating systems and software pop up every day. It’s important to install relevant updates as soon as they come out since these updates typically include security fixes and “patches” for the software. This process begins with the hospital IT department or consultancy.
Once the IT department has established a plan for monitoring and updating network devices, it’s important the IT executive regularly review this policy, as changes in technology occur frequently. Additionally, it’s imperative that the IT department regularly checks that all enterprise devices have updated correctly.
- Create Regular Backups
A Becker Hospital Review article reports that as of 2014 only 42% of hospitals were backing up data, and only 10% of those care providers used off-site storage to ensure data safety. The first step in this process is to evaluate vendors that develop hardware and software for data backups.
Next, the IT department will program the software to backup data according to organizational guidelines. This process may change over time as information storage needs and security demands evolve, so an annual review of the process is required to keep backup systems current.
- Encrypt All Sensitive Data
Encryption is one of the most powerful tools we have for keeping data safe. At an enterprise level, some cybersecurity suites will already include encryption. However, the first step in implementing this tool is deciding what information your organization needs to encrypt.
After establishing this, you’ll need to develop a strategy for continued encryption management. Part of this includes finding a solution that’s ideal for your enterprise. As with all information management protocols, information technology specialists should review this procedure to ensure that the practice remains effective.
- Create an Action Plan for Potential Attacks
Unfortunately, all the prevention in the world won’t always stop a cyberattack. It’s a good idea to take the attitude of “hope for the best and prepare for the worst.” You’ll want to create a response plan should a breach occur and compromise your security. How you respond to a breach—and how quickly—can make a big difference in the cost and outcome of a security breach.
The first step is to create a breach plan. Next, you must educate staff on their roles for when a breach occurs. Finally, include the plan in ongoing drills and training to ensure that everyone is prepared and will react appropriately. Not sure how to get started? Here’s a handy checklist from The International Association of Privacy Professionals for creating your response plan.
Trends in Cybersecurity
The future of security will be crucial in the medical industry, and health leaders need to be willing to consider the latest technologies in cybersecurity. Here are a couple of the technologies on the cusp of becoming standard in cybersecurity.
Blockchain
One technology that has enormous potential in healthcare cybersecurity is blockchain. The technology revolutionizes the way that data is stored and shared. Created to ensure the security and scalability of the popular cryptocurrency bitcoin, blockchain is now being used in several industries for security and transparency.
Blockchain technology, instead of storing all data in a central location, distributes the information on what is essentially a public ledger. When any transactions or changes occur, a new “block” is added to the chain. This creates a system that is difficult to falsify or compromise. While blockchain isn’t invulnerable, it is considered much more secure than traditional systems.
Biometrics
Biometrics are also being improved for security applications. What was once a science fiction pipe dream is now becoming a reality. There’s no better way to prove your identity than with your own unique biological features, such as fingerprints. Because they’re so accurate and unique, biometrics could one day make it nearly impossible to steal secure data.
Some biometrics developers, like TeleSign, are working on systems that learn a person’s habits and can recognize that person after about 5-10 sessions. TeleSign Director of Product Management Sergi Isasi says that this application has a 95% plus rate of accuracy in distinguishing users from one another.
Creating a Data Secure Culture
Education and training is an important part of protecting sensitive patient data. However, unless you begin to create a culture of cybersecurity, the effects of the training won’t last very long. Promoting a culture of cybersecurity starts with awareness.
Many staff members are unaware of the many activities that may seem innocent but might compromise data security, and many employees don’t believe that their actions can cause a data breach – until they do.
Opening an unsolicited email, for example, could allow a virus to gain access to the corporate network, or an apparently innocuous picture sent from an associate’s hacked email account can contain malicious code that could compromise the integrity of enterprise data.
If creating a culture of cybersecurity sounds difficult, that’s because it is. Not everyone will willingly come on board, and it takes a lot of committed effort to get everyone on the same page. Many employees don’t think an attack could happen at their workplace when in reality, it’s the rule, rather than the exception.
Setting a good example for employees is key, as is insisting on accountability and ongoing compliance. By creating a culture of cybersecurity, you can reduce the possibility of an attack—and ensure a prepared workforce should the worst happen.
In addition to having strict policies in place, ongoing education and buy-in are essential. Show your employees and leadership why cybersecurity should be one of your organization’s top priorities.
It’s key that the hospital is willing to invest in organizational security, and that every employee understands and embraces their role in keeping patient and hospital data safe.
Sarah Daren