Healthcare cybersecurity puts hospitals between a rock and a hard place. The privacy of patient data is key, and reporting on breaches or compromised information in a timely manner is both a regulatory requirement and can help mitigate further damage. But doing so can also sometimes do little more than land a provider an enormous fine and create bad publicity.
In a recent report on healthcare data breaches from the Brookings Institute's Center for Technology Innovation, Niam Yaraghi, PhD, conducted 22 interviews with a variety of healthcare administrators to take the temperature of cybersecurity on the ground, and to see what folks on the frontline would like to see changed.
Here are nine takeaways from the report:
- The extensive coverage of healthcare data breaches cements the idea that breaches occur more frequently for hospitals and health systems than stakeholders in other industries. While this may be true, patient data is so sensitive that reporting regulations about breaches are much stricter, which by nature fuels greater media coverage.
- Too many people need access to medical data to guarantee security. A single inpatient visit could result in dozens of clinicians looking at sensitive patient data, which ups the chance that information will be compromised and privacy violated, but is also necessary and potentially life-saving.
- Medical data is often stored for a much longer period of time than other forms of data, which increases the likelihood of information being compromised.
- The explosive growth and adoption of healthcare technology, like EHRs, contributed to today's environment, where hospitals are often playing catch-up when it comes to cutting edge hardware and software, and reacting to, rather than foreseeing, data vulnerability.
- Until recently, healthcare did not have a powerful financial incentive to invest in a strong cybersecurity infrastructure. Unlike other industries, where consumers can choose to withhold their patronage from a business if their information is compromised, people will always need healthcare. Now that hospitals can be fined huge sums for data security slip-ups and there are more reporting tools available to help consumers choose providers who have demonstrated better cybersecurity hygiene, this is beginning to change.
- Dr. Yaraghi suggests the HHS' Office for Civil Rights needs to better communicate the details of the hundreds of healthcare data breach audits it performs annually. Without meaningful information on these breaches, other organizations won't have the tools to know how to implement lessons about data protection.
- Provider organizations should take it upon themselves to share more information about privacy and cybersecurity measures, among other things, according to Dr. Yaraghi. Rather than competing for technology solutions, organizations can collaborate to keep patients safer.
- OCR should put more effort into preventing HIPAA violations than punishing them, Dr. Yaraghi suggests. This could be done through a universal HIPAA certification system, which would perform audits on certified entities, as is done in the financial and banking industries.
- Dr. Yaraghi also suggests a private cyber insurance market could help incentivize hospitals to make lasting improvements in privacy and data management.