So what can be done to prevent security breaches in healthcare? Many healthcare organizations are looking to cybersecurity to help protect their data. Cybersecurity is the state of being protected against the criminal or unauthorized use of electronic data or the measures taken to achieve this. The United States government passed the Cybersecurity Act of 2015 to give companies the ability to share cybersecurity information with federal agencies while providing liability protection and antitrust exemption for those sharing information.
“The State of Cybersecurity in Healthcare Organizations in 2016” report released by ESET® noted that only half of healthcare organizations have an incident response plan in place in the case of a data breach, even though the healthcare industry experiences at least one cyberattack per month. According to the PwC Health Research Institute, preventive cybersecurity costs approximately $8 per patient record, while the estimated cost of a major breach is $200 per record.
Perhaps one of the reasons so many healthcare providers don’t have cybersecurity measures in place is because doing so involves a complex process. Appropriate preventive and incident response policies and procedures require the work of a collaborative team focused on putting realistic security guidelines in place.
The American Hospital Association recommends the following six topic actions to manage hospital cybersecurity risks:
Establish procedures and a core cybersecurity team to identify and mitigate risks, including board involvement as appropriate.
Develop a cybersecurity investigation and incident response plan that is mindful of the Cybersecurity Framework being drafted by the National Institute of Standards and Technology. The Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The core components of the Framework consist of:
Investigate the medical devices used by the hospital in accordance with the June 2013 Food and Drug Administration guidance to ensure that the devices include intrusion detection and prevention assistance and are not currently infected with malware.
Review, test, evaluate and modify, as appropriate, the hospital’s incident response plans and data breach plans to ensure that the plans remain as current as possible in the changing cyber threat environment. Even though this is a significant resource commitment, it will payoff if your organization has a data breach. A data breach plan should cover the following at the very least:
Consider engaging in regional or national information-sharing organizations to learn more about the cybersecurity risks faced by hospitals.
Review the hospital’s insurance coverage to determine whether the current coverage is adequate and appropriate given cybersecurity risks.
Similarly, the ONC offers its top ten tips for promoting cybersecurity in a healthcare setting:
Establish a security culture - make security is a focus and responsibility of all employees
Protect mobile devices - make sure the data is encrypted
Maintain good computer habits - set up good practices for software updates and data archival
Use a firewall - it should be constantly monitored and maintained by a specialist
Install and maintain antivirus software - keep virus definitions updated
Plan for the unexpected - recovery planning is vital when emergencies occur
Control access to PHI - grant PHI access only to people with a “need to know”
Use strong passwords, and change them regularly - make passwords more than eight characters and require at least one uppercase, number and special character
Limit network access - make sure networks are encrypted and wifi is secure
Control physical access - know where your devices are at all times
At Syntrix Consulting, our certified consultants have extensive experience with healthcare facilities and can work with you to make sense of your data. We can help you ensure accessibility to data while working within the confines of data security policies. Contact us today for a free consultation: