If we asked you what you’re doing to keep patients safe if your facility, HAIs might come to mind. You’ve invested in the tools, training, and building updates to prevent the spread of infection. You might consider your hiring practices, investment in diagnostic tools and training programs, preventing malpractice and ensuring better patient outcomes. On the other side of things, you might consider how you secure workstations along with passwords, anti-virus, and other measures to keep PHI and ePHI safe and accessible to comply with HIPAA.
But there are some very important reasons that it’s time to think beyond these traditionally identified risks and invest in the healthcare IT infrastructure needed to address the modern risks to patient safety.
Here’s what you need to know.
Attacks Are More Frequent and Organized Than You Think
Securing patient data isn’t what it used to be. Cyber attacks today are sophisticated. They’re organized, well-funded, and they employ the best of the best to accomplish their goals.
What are those goals? They’re not simply trying to steal patient information. Often they’re trying to manipulate information or extort your need to keep PHI accessible to treat patients. And the fact is that most healthcare systems a woefully unprepared.
While such attacks may seem rare, they are not as infrequent as you might think. In the past 10 years, nearly 2,000,000 patients were affected. And the past five years have seen an increase of over 30%. Big names you know that Anthem, Advocate Health, and Blue Cross Blue Shield have all fallen prey. These organizations and others have since increased their security investment, but only after suffering the HIPAA penalties, reputation loss, and patient safety compromise far exceeding those investment costs.
Why Is the Risk So Great?
Historically, communication of risk has not been clear and assessment of not thorough when it comes to securing patient data. In healthcare, in particular, many leaders don’t have a clear understanding of the risk at different levels and how likely these attacks are. They may feel they’re protected if they train employees on protecting PHI and invest in firewalls. Those are important but not enough.
Because of the lack of understanding, funds get spent elsewhere, and this has helped many organization reach the breaking point where really securing patient data must become their top priority to keep patients safe.
Thinking Beyond the Workstation
Most organizations perform control space risk assessments required by HIPAA but fail to consider all of their risks. Healthcare IT security extends far beyond the nurse’s station. Among the most unprotected are out Internet of Things (IoT) devices that are now connected to the network including but not limited to:
- Medical devices like telemetry, pacemakers, and other monitors
- Robotic surgery
- Pharmaceutical robots
Today, IoT outnumbers traditional assets and yet they are relatively insecure. What risk does this pose to patients?
- Blood type altered
- Telemetry data changed
- Allergies removed
- Shutting down a pacemaker
While you may wonder why someone would want to do these things, consider just how detrimental they would be to your ability to function and how many lives would be at stake. If it came down to it, what would you pay to prevent this? Cybercriminals have a good idea and like so many things in life, it often comes down to the money they can extort from you.
The financial sector knows these risks. They’re paying on average what comes out to over $2000 per employee per year to keep financial data safe. The healthcare sector where patients’ lives not just their portfolios are at stake spends less than half that.
Confidentiality, Integrity, Availability
This is what it comes down to. Confidentiality. Integrity. Availability. The confidentiality part most healthcare organization have under control through human resources and healthcare IT. Yet integrity and availability are most at risk today. Criminals can lock down ePHI for ransom. They can alter patient data.
Developing a Healthcare IT Security Plan
Organizational leaders need to take a more holistic view of healthcare IT security and better understand the risks involved. Then it’s time to begin developing a strategy to both secure data now and plan for the future with these vital steps.
- Comprehensively assess risk at every level.
- Develop a budget – Budget should match the level of risk so get informed.
- Develop your strategy. Response holistic and comprehensive. Don’t spend all in one area, leaving others vulnerable.
- Begin bringing people in that you need to develop more long-term solutions. It’s not easy to hire the level of expertise you’ll need, so the best thing you can do is partner with a healthcare IT company that understands the real risks facing patient data today.
- Put systems in place to more quickly identify breaches and close the gaps, inoculating against future attacks.
- Consider cloud-based storage for backup to maintain availability. The cloud industry has invested in security. Remember to get that Business Associate Agreement (BAA) signed before giving access to ePHI and research to find the most secure cloud services capable of handling your volume and accessibility needs.
- Implement longer-term solutions that are both comprehensive and scalable to meet your future needed.
Cybersecurity threats are getting more sophisticated, but the good news is that you can start implementing steps now to significantly reduce your risk and keep patients safe.