The use of technology in healthcare has produced many benefits, but it also presents some risks. One of the biggest risks healthcare organizations face using technology to gather patient data is a data breach. Five of the eight largest healthcare cybersecurity breaches since 2010 occurred in 2015, making healthcare the top industry for cyberattacks.
So what can be done to prevent security breaches in healthcare? Many healthcare organizations are looking to cybersecurity to help protect their data. Cybersecurity is the state of being protected against the criminal or unauthorized use of electronic data or the measures taken to achieve this. The United States government passed the Cybersecurity Act of 2015 to give companies the ability to share cybersecurity information with federal agencies while providing liability protection and antitrust exemption for those sharing information.
“The State of Cybersecurity in Healthcare Organizations in 2016” report released by ESET® noted that only half of healthcare organizations have an incident response plan in place in the case of a data breach, even though the healthcare industry experiences at least one cyberattack per month. According to the PwC Health Research Institute, preventive cybersecurity costs approximately $8 per patient record, while the estimated cost of a major breach is $200 per record.
Perhaps one of the reasons so many healthcare providers don’t have cybersecurity measures in place is because doing so involves a complex process. Appropriate preventive and incident response policies and procedures require the work of a collaborative team focused on putting realistic security guidelines in place.
The American Hospital Association recommends the following six topic actions to manage hospital cybersecurity risks:
Establish procedures and a core cybersecurity team to identify and mitigate risks, including board involvement as appropriate.
Develop a cybersecurity investigation and incident response plan that is mindful of the Cybersecurity Framework being drafted by the National Institute of Standards and Technology. The Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The core components of the Framework consist of:
Investigate the medical devices used by the hospital in accordance with the June 2013 Food and Drug Administration guidance to ensure that the devices include intrusion detection and prevention assistance and are not currently infected with malware.
Review, test, evaluate and modify, as appropriate, the hospital’s incident response plans and data breach plans to ensure that the plans remain as current as possible in the changing cyber threat environment. Even though this is a significant resource commitment, it will payoff if your organization has a data breach. A data breach plan should cover the following at the very least:
- Extensive documentation of events leading up and following the data breach
- Immediate communication to appropriate parties
- Activation of response team including legal counsel
- Identification of cause
- Process to fix the breach
- Deployment plan to begin notifying the affected victims of the breach
Consider engaging in regional or national information-sharing organizations to learn more about the cybersecurity risks faced by hospitals.
Review the hospital’s insurance coverage to determine whether the current coverage is adequate and appropriate given cybersecurity risks.
Similarly, the ONC offers its top ten tips for promoting cybersecurity in a healthcare setting:
Establish a security culture - make security is a focus and responsibility of all employees
Protect mobile devices - make sure the data is encrypted
Maintain good computer habits - set up good practices for software updates and data archival
Use a firewall - it should be constantly monitored and maintained by a specialist
Install and maintain antivirus software - keep virus definitions updated
Plan for the unexpected - recovery planning is vital when emergencies occur
Control access to PHI - grant PHI access only to people with a “need to know”
Use strong passwords, and change them regularly - make passwords more than eight characters and require at least one uppercase, number and special character
Limit network access - make sure networks are encrypted and wifi is secure
Control physical access - know where your devices are at all times
At Syntrix Consulting, our certified consultants have extensive experience with healthcare facilities and can work with you to make sense of your data. We can help you ensure accessibility to data while working within the confines of data security policies. Contact us today for a free consultation: