From ransomware to cyberattacks, data breaches in the healthcare sector abounded in 2016. In fact, last year averaged one healthcare data breach per day, according to a recent Protenus analysis.
The occurrence of such breaches isn't expected to change in 2017. As cybersecurity remains a top-of-mind issue for healthcare executives, hospitals and health systems must work even harder to prevent potential HIPAA violations.
Becker's Hospital Review spoke with four healthcare providers and industry experts about cybersecurity and what can be done to mitigate breaches. The panel included:
- Juliet Breeze, MD, CEO and medical director of Sugar Land, Texas-based Next Level Urgent Care and vice president of Katy, Texas-based Vantage Hospice
- David Finn, health information technology officer of Mountain View, Calif.-based Symantec
- Santosh Varughese, president of Houston-based Cognetyx
- Donald Voltz, MD, of Canton, Ohio-based Aultman Hospital
Here are the top sound bites from their discussion, lightly edited for clarity.
On why the healthcare industry has been targeted so hard with data theft:
Dr. Voltz: "There's so much [protected health information] locked up within an EHR. Not only is there an emotionally charged aspect to the data in it, but the information provides almost a complete portfolio to do identity theft."
Mr. Finn: "When data was on paper, it wasn't as valuable. With the dawn of the web, all that data became much more valuable than it ever was before. The ability to track people across web searches makes the information valuable and easy to access."
Mr. Varughese: "In general, healthcare organizations aren't deploying solutions that actually work. Most organizations can't afford to have defenses. The majority of healthcare organizations don't have solutions in place that can mitigate the risk of data theft."
Dr. Breeze: "I own two healthcare organizations. I have 200-plus employees with access to the records. It's very expensive for us to monitor and control how the information is accessed. As a smaller organization, there's no solution I've found that's actually affordable for us."
On why the problem of data theft is challenging to solve:
Mr. Finn: "You have the dichotomy of healthcare — there's no other industry that's so regulated and secure but has a mission to share data. In healthcare, we're regularly told that you're supposed to share data with state registries and other organizations. But every time you share data, you share an opportunity to take data."
On what the industry should or shouldn't do to end the problem:
Mr. Finn: "We talk about interoperability and get focused on the technology, but I think we need some common language and common terms before we start doing that. We don't have a common framework across the industry."
Dr. Breeze: "I have a lot more concern about what's happening inside organizations internally regarding how many people have access to the data. At most of the organizations I've ever worked for or in, there were not a whole lot of limitations regarding what you could access once you got your username and password. What can we do about who has access to the data before it even leaves the organization?"
Mr. Varughese: "In spite of HIPAA regulations and other laws, the rate of data breaches is actually going up. These standards from the government, although helpful, don't equate to data security."
On data security in 2017:
Mr. Varughese: "What we've been doing for the past two decades is making the wall a little higher or thicker, and that kind of thinking has not helped. We need to be asking, 'What's available now to help us take control of these problems?' Technologies — involving big data, machine learning and artificial intelligence — will have to be employed to be able to scale the network and protect the data."
Dr. Voltz: "[The issue of data breaches] is going to get a lot worse before we get on top of things. It's prudent for healthcare organizations to figure out how to function in the interim. We're going to have to become more innovative."
Mr. Finn: "We have to change the way we think about this data. It's a given that healthcare is never going to have the money, staff, skill sets or focus to completely solve this. We want to stay focused on taking care of people, not becoming security companies."
Dr. Breeze: "I've heard more about cybersecurity in this last year than I've ever heard about it in my whole career. It's a huge industry problem. I do agree that it will get worse before it gets better, but I'm looking forward to seeing a lot of movement in this space."