According to experts at the American Hospital Association, stolen healthcare information can be sold ten times more often on the dark web than stolen credit card information. Both cyberthieves and nation-state actors seek this information for good reason. Besides protected patient data, healthcare records can also contain the critical financial information of thousands of people and data concerning medical innovation. Can cybersecurity help with protecting patient data? Can we be sure that our medical records are secure?
These breaches can devastate patients’ health, privacy, and financial security — particularly when ransomware threatens to interfere with medical devices and ambulance dispatch.
Photo by TheDigitalArtist on Pixabay
High Expectations
Ours is a security age. Even private homes are routinely wired with home security systems for protection. So, expectations are high that healthcare providers, whom people trust with their lives, are also vigilant regarding cybersecurity. The cost of failure goes beyond threats to patient well-being and damage to organizational reputation. The costs of remediating a data breach in healthcare are more than three times higher than that in other industries. Then comes the possibility of fines that lax cybersecurity can bring for HIPAA violations.
A Shift in Attitude
Data breaches occur across the spectrum of the healthcare industry, from vendors to hospital systems and small providers. The first step for any organization is to realize that such breaches are not the problem of IT departments alone. Cybersecurity is an enterprise and risk-management issue that impacts the entire organization and is a responsibility that needs to be widely shared. If possible, a single full-time person should be dedicated to cybersecurity and given the authority to enforce it. In the meantime, management should be provided regular reports on the cybersecurity status and the following steps to be taken.
Photo by Mohamed_hassan on Pixabay
Creating a Culture of Cyber-Safety
Too often, organizations focus their cybersecurity concerns on electronic healthcare records only. A more thorough approach would include anywhere in the healthcare data network, such as management software, mobile and connected devices, and legacy systems. The good news is that you are not alone in facing this challenge. The CISA, the U.S. Cybersecurity and Information Security Agency, has resources to help organizations improve their electronic defenses and patient safety.
A Four-Step Program for Protecting Patient Data
The U.S. Department of Health and Human Services recommends four basic steps to improve the safety of electronic patient records. HHS best practices include:
- Maintain offline, encrypted backups of data and regularly test backups.
- Conduct regular scans to identify and address vulnerabilities, especially on internet-facing devices, to limit the attack surface.
- Regular patches and updates of software and operating systems.
- You are training your employees regarding phishing and other common IT attacks.
An even more comprehensive checklist is available through healthit.gov
Electronic medical technology has done a world of good — ask any patient to be informed and comforted by electronic access to their medical records. And that doesn’t even consider the many health benefits of streamlining and centralizing medical information. But this significant step forward has a price beyond dollar costs and savings. The cost is informed vigilance in a changing world.
Frances Black