But the industry can adopt strategies to protect patient data.
Frequent cyberattacks are a grim reality of our tech-savvy society. The healthcare industry is particularly vulnerable to these attacks given the wealth of information found in medical records, including personal identifiers, insurance details and prescription numbers.
According to HIPAA Journal, June 2018 saw 33 separate breaches, exposing more than 356,000 patient healthcare records. Of those breaches, more than 80 percent involved hacking, IT infrastructure failure or unauthorized access.
Safeguarding electronic protected health information (ePHI) is more complex than ever with continuous advances in digital resources and cybercrime activity. How does a provider avoid falling victim to one of these massive attacks?
To start, evaluate the evolving healthcare data security landscape and consider the obstacles:
Many of the cybersecurity problems health facilities face stem from a lack of awareness. They see data security as an issue that affects the IT department rather than the entire organization. Because of this mindset, they fail to build a culture of security in which everyone understands and values secure data, equipment and processes. And this leads to weak passwords and authentication practices, as well as participation in what’s known as shadow IT — where employees access sensitive patient data using unauthorized devices and apps.
Widespread lack of awareness makes the people working at a healthcare facility the weakest security link. To combat security flaws introduced by employees, make it a top priority to boost organizational awareness through comprehensive training and the adoption of strict authorization and authentication policies.
The healthcare industry historically lags behind other industries when it comes to adopting technology. Hospitals and medical practices often use outdated operating systems, elementary backup systems and consumer-grade routers. Additionally, they offer unsecured guest networks for patients and visitors.
Using modern software and equipment and habitualizing updates to systems and apps are key to protecting facilities from cybercrime. Outdated software exposes data to recent bugs and cyberattacks through antiquated features and missing protections.
Healthcare organizations are highly vulnerable to email phishing attacks thanks to email address availability and above-average email traffic. Healthcare email addresses tend to be less protected than email addresses in other industries. Additionally, healthcare professionals receive a large volume of emails as they collaborate with other providers and order drugs or equipment for treatment, so they are more likely to open a phishing email.
Healthcare professionals must exercise extreme caution when opening unsolicited email attachments and accessing the internet on facility networks. To limit phishing vulnerability, provide training sessions that offer tips for spotting phishing attacks and limiting internet activity while logged into the organization’s systems.
According to the U.S. Department of Health & Human Services (HHS), access to ePHI should be limited to the “minimum necessary” for employees to do their jobs and care for patients. This is where many organizations fail. It’s all too common for health facilities to share large data sets across the organization simply because they lack the resources or time to manage access properly.
Considering the number of healthcare data breaches that result from internal staff errors, providers can significantly reduce risk by introducing data access controls. On top of limiting who has access to sensitive patient data, keep detailed documentation of authorized access so appropriate action can be taken when an authorized employee leaves the organization.
Laptops, tablets and mobile medical devices are increasingly being used to treat patients and record data, but spreading sensitive information across all these devices exposes facilities to even greater security risks. In the first few weeks of 2018, HHS received five healthcare data breach reports related to theft or loss of a laptop or other portable electronic device. And other reports indicate that a high percentage of mobile healthcare apps lack privacy policies. Additionally, mobile devices can be used to insecurely transfer sensitive data over public Wi-Fi networks.
Mobile devices require the same security measures used to protect desktop computers. In fact, some malicious malware is formatted to specifically target mobile devices. To safeguard patient health information from the risks introduced by laptops and other electronic portable devices, require data encryption on all devices and adopt technology that includes the ability to remotely wipe a device if it is lost or stolen. Additionally, only allow certain information to be housed on approved devices and restrict use of personal laptops and smartphones on facility networks.
Chris Byers is the CEO of Formstack, an Indianapolis-based company offering an online form and data-collection platform. Prior to Formstack, Byers co-founded an international nonprofit that was built via remote relationships among partners in Europe, Africa and the United States.
Get the best insights in healthcare analytics directly to your inbox.