Last year was a discouraging one for healthcare data security, and this year seems to be off to a rocky start as well. With attacks becoming more commonplace and damaging—and with medical information more valuable than ever—healthcare organizations are beginning to put a greater and much-needed focus on protecting patient data.
According to a survey by KPMG, 47 percent of healthcare providers and health plans said they had faced security-related HIPAA violations or cyber-attacks that compromised patient data in 2017. That’s not a big surprise given that only 35 percent of respondents said they were “completely ready” to protect patient records.
Successful cyber-attacks reported last year included the following:
- Hackers launched two ransomware attacks on Colorado-based Longs Peak Family Practice during the same week. A forensic security firm later found that the practice systems had been accessed on the separate occasions.
- A security breach at Henry Ford Health System gave hackers access to data on roughly 18,470 of its patients when someone gained access to the email credentials of a group of employees.
- Data on 20,431 patients cared for by health system Lifespan Corporation was exposed after someone broke into an employee’s car and stole their MacBook.
- A breach at a radiology center system allowed cyber-attackers to access data on 106,000 patients cared for by the Mid-Michigan Physicians clinic. The medical records obtained by the attackers contained a range of sensitive information including patient names, dates of birth, addresses diagnoses and Social Security numbers.
Of course, these are just a few examples of the security problems healthcare providers faced last year. For a fuller look at incidents taking place last year, you need look no further than the so-called “Wall of Shame,” a record of healthcare security breaches maintained by the HHS Office for Civil Rights. The hundreds of incidents listed there are a reminder of how pervasive such problems have been.
Fortunately, providers are learning from last year’s problems and are taking new approaches to security. Hospitals, medical practices, and their partners have begun to find solutions to some of their biggest data security challenges. Here are five ways health systems are beginning to defend themselves better against malicious actors:
- Tightening up internal security: Research from the healthcare IT association HIMSS suggests that most healthcare security breaches are due to human errors or deliberate actions by rogue employees. In response, providers are taking steps to minimize employee-related incidents, including limiting access to privileged accounts, improving password security practices and training both medical and non-medical staff on red flags to watch out for when accessing patient data.
- Maintaining secure systems: Far too often, healthcare organizations’ systems aren’t updated as new security threats emerge, which makes it much easier for attackers to access their data. To protect themselves, providers are paying closer attention to emerging system vulnerabilities, including security issues arising from newer technologies such as mobile devices. Expect to see healthcare CIOs adopt new, tougher policies around use of personal devices for healthcare communication.
- Expanding health IT budgets: While healthcare organizations once spent far less than other industries on cybersecurity, that’s likely to change this year in response to last year’s cascade of attacks. According to one survey, 90 percent of healthcare leaders expect to spend more on cybersecurity technology and staff this year. As part of this initiative, providers will be recruiting healthcare IT staffers with a strong data security background.
- Adopting comprehensive security approaches: A growing number of healthcare organizations are adopting a “holistic” approach to cybersecurity. The holistic security model goes beyond technical fixes, incorporating human and physical factors in its approach. Providers who implement this model analyze the security culture of their organization, including the mindset of its leadership, IT governance, and the cybersecurity awareness of staff, partners, and contractors, then build a plan that fits the organization’s habits and perceptions.
- Adding a security leader to the C-suite: In an effort to manage threats from the top down, a growing number of providers have created a senior leadership position focused on information security. According to a recent study, 60 percent of respondents employed a Chief Information Security Officer or other senior information security leader. The CISO’s job typically includes shaping information security programs, driving organizational change supporting these efforts, and creating a workplace culture which fosters cybersecurity awareness.
The truth is, healthcare industry has historically been a little late to the game on cybersecurity for quite some time. In recent years, healthcare IT budgets have accounted for a smaller percentage of revenue than virtually any other industry’s IT spending.
Today, though, most healthcare leaders realize that paying greater attention to cybersecurity is absolutely critical. After all, breaches are very expensive to repair, a public relations nightmare, and a potential legal disaster.
All told, that healthcare executives are beginning to throw money and staff time at cybersecurity problems is a good thing—once providers have developed more effective approaches to avoiding data breaches, they can stop looking over their shoulder and focus on patient care.