Data breaches can be small, isolated incidents, affecting just a few hundred patients, or they can be sweeping events that affect millions — patients and employees alike. Regardless of the scale, data breaches have far-reaching consequences from loss of customer loyalty to legal ramifications.
As healthcare continues to shift into the digital world, all healthcare organizations will need to increase their knowledge and vigilance about safeguarding protected health information.
1. Why data security should be top-of-mind for all healthcare providers. Cyberattacks are hardly limited to the healthcare industry, but that should not lessen the importance of data security. Protected health information commands a high value, to both hackers and the public, says Robert Faix, Principal at Impact Advisors. PHI can include information like patient names, diagnoses, Social Security numbers and dates of birth, which can be used in cases of identity theft. Moreover, celebrity medical data can be seen as valuable if publicized. The price of health data on the black market varies but is generally higher than the price of stolen credit card numbers.
Healthcare providers are faced with myriad budgetary decisions and cybersecurity does not always command top priority. "Information security programs within healthcare are underfunded in many cases," says Mr. Faix. "Consider choosing between purchasing a new MRI machine, which will generate revenue, or intrusion detection software, which can protect an organization, but not generate revenue. We have a good way to go before security finds its home in the hierarchy of investments."
Spurred by the value and vulnerability of data in this industry, hackers are targeting health data. "The hacking methods used are becoming much more sophisticated and are driven by the appeal of healthcare data specifically," says Mr. Faix.
2. Top vulnerabilities. Vulnerabilities fall into two categories, according to Mr. Faix: technical and operational. Biomedical devices loom large on the technical side. Updates and changes to these devices are heavily regulated, often leading to delays in applying patches for known security weaknesses." A biomedical device has protected health information that could be compromised, but more importantly the purpose of that device is often to sustain a life," he says. "If that biomedical device is compromised, settings for an IV drip, for example, could be changed, resulting in an increased potential for physical harm to patients."
The sheer size of many healthcare organizations is an inherent challenge. Technology across a large health system is often not standardized, nor is data storage uniform. "Larger health systems have an increased challenge in protecting PHI, purely because of their IT footprint," says Mr. Faix.
3. Minimizing the risk. Hackers' methods may be increasingly sophisticated, but healthcare organizations are not without options to combat them. Mr. Faix recommends:
• Investing in prevention and detection technology and standardizing processes
• Thoroughly vetting all new software and hardware purchases prior to implementation
• Establishing a sound patch management program
"What I am talking about here is elementary, but it is amazing how many large and small organizations have a very poor grasp on managing their intake of IT systems and data," he says.
Once a solid process for selecting, vetting and maintaining technology is in place, healthcare providers next can focus on the human aspect of data security. Employee education is essential to minimizing the risk of data breaches. Do not sensationalize the threat of cyberattacks, but explain proper security protocols to all of your employees and enforce these rules. "You could have all of the tech in the world to prevent data breaches, but if the end user receives a phishing email and clicks on the link, your best technology is thwarted," says Mr. Faix.
Accomplishing anything within a healthcare organization requires strong leadership, and security is no different. Many organizations have assigned security responsibilities to their security manager or CISO, but not all organizations have empowered these individuals to drive effective security strategy. "There always needs to be an executive sponsor, whether you are large or small," says Mr. Faix.
4. The future of data security. Change in data security is inevitable. The rise in breaches and the increasing severity of consequences will drive more investment in security. At the same time, hackers will hone their techniques and seek different vulnerabilities, forcing an arms race of sorts. The increasing interest in mobile technology in healthcare adds another layer of complexity. How will this data be protected? Particularly, how will data generated by patients' personal mobile devices be protected and integrated into the larger scheme of healthcare? "From your hip pocket to the EHR, that is the new frontier," says Mr. Faix.