One of the challenges that keeps healthcare leaders up at night more than any other is managing cyber security threats to health data management. Unfortunately, there have been a variety of recent incidents in which patient records have been stolen. As EMR & HIPAA reports, research has shown that attackers have recently stolen at least 600,000 patient records. In addition, an increasing number of hospitals are being struck by ransomware attacks, according to HealthcareITNews. This is a large, growing problem that is only going to get more complex and challenging. As such, there’s little doubt that managing cyber security threats to personal health information has become a number one priority for nearly every healthcare IT organization.
Protecting health information can be a difficult task, especially as the healthcare industry continues to get pushed into being more open and connected with its use of technology and data. While connected IT systems can be great for lowering healthcare costs and improving patient care, they also come with a slew of security challenges.
No Bulletproof Solution
So what can an organization do to protect itself against hacking, phishing, malware and ransomware? Unfortunately, there’s no bulletproof solution that will ensure that you’re 100 percent secure. As a healthcare leader, you should focus your efforts on two main risk areas: your team and your partners.
In order for you to truly protect the personal health information in your care, you need to invest money in firewalls, anti-virus and encryption. One of the biggest vulnerabilities you must manage is your people. It’s crucial to ensure that all of your employees have a deep understanding and vested interest in the security of your organization. Unfortunately, a culture of security doesn’t happen overnight and it’s not easy to create. Leadership at all levels must come together to ensure that cyber security is considered and implemented throughout the organization. After all, the chief security officer can only be in one place at one time, but the organization as a whole can identify, fix and report potential cyber security threats that exist.
Beyond your own team, your partners can be a major risk to the security of the patient health information you collect. Many of these partners are moving to the cloud, which comes with many advantages, but also presents new cyber security threats. As such, it’s important to make sure that your partners have signed business associate agreements and that they are following through with good HIPAA practices.
Trust, But Verify
Unfortunately, many healthcare organizations stop there; they file away the business associate agreement and move on. However, this assumption that business associates will comply with HIPAA and implement effective cyber security efforts is a flaw that presents a tremendous risk to organizations. When ensuring that your partners are securing your health information effectively, it’s good to follow the old adage, “Trust, but verify.” As you verify your partner’s efforts to secure your health data and comply with HIPAA, you shouldn’t be afraid to ask the company to show (versus tell) you what they’re doing. After all, just because a partner says they’re compliant doesn’t mean they actually are compliant. It’s important to remember that you are still held equally responsible for data that is stored at a partner’s facility. As such, you may even want to assign someone in your organization to be specifically responsible for your partners’ security and privacy efforts.
While mitigating these risks will be two massive steps in the right direction, breaches are still almost inevitable. Along with working to manage cyber security threats to your organization, it’s important to have a solid plan of attack for when a breach does occur. At the core of any crisis is a great communication strategy and that’s never more true than when a cyber security incident occurs. As such, you need to have a plan in place for communicating your strategy to providers, patients, partners, the media and IT professionals.
Along with great communication, you need a well-thought-out and robust backup and business continuity strategy. These strategies are particularly important in cases of ransomware incidents that can leave your systems locked down when a breach occurs. Ask yourself the following questions: Where are your backups stored? How quickly can they be restored? Have you tested them to make sure they can be restored? Do you have an onsite and offsite backup? How often are you creating a backup? Thorough backup and business continuity planning can ensure your organization minimizes system downtime when a breach occurs.
In light of recent healthcare breaches, the industry has begun to wake up to impending cyber security risks. However, most healthcare organizations can make more of an effort to create a culture of security and privacy amongst their teams and their partners, and they should make these changes now, before it’s too late.