Now that we’ve reached the year 2018, more information is stored online than ever. Not surprisingly, healthcare data is no exception. Patients must feel confident in the knowledge that their personal data is secure and private, accessible only to them and their immediate healthcare providers.
How can clinics, hospitals, and administrators ensure their information is kept out of the wrong hands? What, specifically, can be done? Although the obstacles may seem daunting, increased security is within our reach. Here are a few concrete steps we can take to make sure we can confidently assure our patients they have nothing to fear.
Protecting the data
According to Forbes, our electronic health records (EHRs) are worth more on the black market than our Social Security or credit card numbers. This fact seems problematic in light of the fact EHRs have been adopted by over 96% of critical care hospitals and over 83% of regular hospitals. Perhaps even more infuriating is the source of most of these breaches, which tend to come from the inside—for example, via nurses, doctors, or billing specialists who have access to our information for legitimate purposes, but may also have ulterior motives for profit, revenge, or basic curiosity, according to Robert Lord of Protenus.
Since the introduction of the Health Information Technology of Economic and Clinical Health Act (HITECH) in 2009, over 40 million patients have reported being affected by data breaches in some way. According to Norwich University, however, there are certain best practices healthcare organizations can adopt in order to more effectively manage their patient data, including conducting quarterly assessments of IT systems, hiring well-educated IT specialists, and providing additional training or professional development to existing IT staff. Making sure that users are only granted access to the information immediately pertinent to their positions, as well as encrypting patient information and educating employees on HIPAA rules and regulations, are other safeguards that can help prevent unnecessary security breaches.
Other ways health informatics professionals can prevent data breaches are via common-sense security protocols like using a firewall, installing and maintaining anti-virus software, and always using strong passwords. Moreover, a security culture should be established in which employees are encouraged to be more aware of when and where they choose to access sensitive information, preferring limited network access that allows for stronger security.
These kinds of watertight security policies are ideally able to thwart hackers like TheDarkOverlord, who decided to hack into Indiana-based Cancer Services Center, demanding $43,000 in ransom from the company’s executive management team via text message. The center reported the incident to the FBI, consequentially averting the payment of any ransom fees. Still, most healthcare organizations would likely opt to avoid dealing with an incident of this kind in the first place.
In turn, organizations will need to rise to the challenge by taking a more holistic view of network infrastructure. This will allow them to better understand the data being monitored, which will encourage them to conduct risk assessments, refine policies and procedures, refresh staff training, and reduce security vulnerabilities.
In an ideal world, IT departments would increase their data security budgets—as, ordinarily, they tend to be too small. Increasing security budgets might allow healthcare organizations to make progress on addressing the most pressing security concerns among hospital and physician practices—which are currently phishing attacks and viruses or malware. Interestingly, these security threats are entirely preventable; they simply require more informed employee “cyber-behavior” like security training, awareness of disgruntled employees, and stronger security priorities among organizational leadership.
D’Arcy Gue stresses five steps to increased cybersecurity precaution:
- Identify every device on the network
- Update your software
- Spread the “security gospel”
- Secure the patient portal
- Cover your business associate bases
Regarding this last point, third-party vendors and business partners may inadvertently leave a cyber-door open, exposing sensitive patient data without even realizing it. It’s each organization’s job to make sure all business partners sign a protected health information (PHI) agreement; this will ensure partners are at least up-to-date on current HIPAA security policy.
Lastly, Michael Daniel argues that hospitals should create a “cyber toolbox” to help protect against rising security trends that he deems troubling:
- Data corruption
- Attacks on IoT devices
- Greater collateral damage as the result of third-party relationships
As noted above by Gue, the problem is not only internal but relational.
To effectively combat these impending data breaches, Daniel first recommends changing the organizational mindset so that it considers information security a risk in need of management—as opposed to a technical problem with occasional glitches. Second, it’s crucial to get the attention of senior management, since organizations that do this tend to get positive results. Lastly, Daniel argues, hospitals are in need of a holistic risk management framework that allows the security team to better understand their network topology.
With a strong system of protocols in place, healthcare organizations will be more fully equipped to deal with the new nature of 21st-century data security threats. Hackers and malicious underground organizations are more aware of possible weak points and back entryways than they were in the past—in part because we’re working with so much more data than ever before.
Big data and machine learning
As Robert Lord argues, we must apply technology like big data and machine learning to our privacy and security concerns, making sure systems are up-to-date and continuously monitored for outside attacks.
Ironically, our weakness—dependence on data—is also our biggest strength. We must make sure big data is working for us by fending off hackers before they can attack, utilizing automation and AI to create programs that do the work for us.
As phishing schemes and ransomware attacks become more common, we must formulate comprehensive plans of attack that start at the top levels of management and apply to every department and employee in the chain of command. If cybersecurity is seen as an integral part of an organization’s vision, security is more likely to be prioritized throughout that organization.