While electronic health records (EHRs) offer incredible advantages for quickly accessing patient data, eliminating fragmentation, and improving information sharing, they also present security challenges. A shocking 41,335,889 patient records were leaked during data breaches in 2019. For conscientious healthcare providers legally responsible for protecting sensitive information and following federal Health Insurance Portability and Accountability Act (HIPAA) regulations, this raises grave concerns.
The Impact of Healthcare Cyberattacks
Health records have become a valuable commodity among hackers because EHRs offer identity information more comprehensive than almost any other type of record. Beyond bank account numbers, credit card information, and Social Security numbers, these records include family members’ names and ages, residential history, and every medical visit and diagnosis. When this information lands in the hands of nefarious persons the results can range from fraud to identity theft to extortion. In fact, these records provide such valuable information that hackers can sell a single stolen medical record for up to $1,000.
EHRs aren’t the only points of vulnerability in healthcare for security breaches. As with every industry, healthcare increasingly relies on information technology (IT) and digital connectivity to work effectively and innovatively. This dependence introduces other security dangers and potential interference.
In healthcare, cyberattacks can cause disruptions that prevent patients from getting critical care and quite literally cost lives. As a recent Health Care Industry Cybersecurity Task Force report put it, “Health care industry cybersecurity issues are, at their heart, patient safety issues.”
Unfortunately, in recent years cyberattacks on the health industry have spiked. HIPAA Journal’s 2019 Healthcare Data Breach Report found that data breaches shot up 37.4% between 2018 and 2019. Ransomware attacks are also becoming increasingly common. In October 2019, hackers held DCH Health System’s IT network hostage, forcing affected hospitals to cancel surgeries and turn away new patients until an undisclosed amount of money was paid. Attacks such as these rose a stunning 350% in the last quarter of 2019, according to a Corvus report.
In 2019 hackers hit 90% of hospitals with email-based cyberattacks, attempting to gain unauthorized access to private data. This resulted in downtime for 72% of the targeted organizations. Additionally, mobile devices and cloud services used by healthcare institutions and healthcare professionals are also under attack. Almost 38% of healthcare organizations reported breaches to their devices in the previous year, according to a 2020 Verizon report.
Despite the stark numbers, healthcare administration leaders can protect their organizations by taking strategic actions to safeguard information and systems. Healthcare providers’ end-to-end data security strategies should consist of five major elements.
1. Control Access to Sensitive Healthcare Information and Systems
Who should have access to sensitive health data? How can healthcare organizations ensure that those trying to access information are authorized to view it? Are there circumstances in which an authorized user should be denied access to data? Effective management of healthcare data access controls addresses these questions to keep information and systems safe.
Access controls allow healthcare organizations to manage their data and decide who has access to it. First, access controls help authenticate a user’s identity, guaranteeing that users are who they say they are. Next, these controls authorize access to secure information, determining whether a user has permission to take a certain action or view a specific item. Together, authentication and authorization keep data secure.
The best way to keep data secure is to make it available only on a need-to-know basis. Access controls allow for this. Healthcare organizations must determine what information is relevant to whom and set access controls accordingly. After all, the data relevant to a billing specialist may not be relevant to a physician, and vice versa. Accounting for these differences and setting controls accordingly allows healthcare organizations to limit unnecessary risks.
Varying duties and responsibilities require different types of information, and not all data will be relevant to all staff. Access controls should be set accordingly, allowing billing specialists access to files relevant to their jobs and granting physicians access to the information they need to conduct their work.
The layers of regulations and the varied possibilities for access controls settings can make establishing them complicated. Healthcare organizations must thoughtfully consider how to develop access controls that both provide needed security and avoid roadblocks that unnecessarily obstruct smooth operations.
The following tips can help ensure the effectiveness of healthcare data access controls:
- Restrict access to data and applications by authenticating users via two-factor authentication and other methods beyond simple usernames and passwords.
- Monitor and log all access attempts and use of sensitive healthcare information.
- Secure all mobile devices used by healthcare workers to access the healthcare service’s networks.
- Isolate devices that connect to healthcare networks as part of the growing Internet of Things (IoT).
- Lock down all remote-access connections to the networks by using virtual private networks (VPN) and other secure communication technologies.
- Adopt role-based access control (RBAC) to ensure that employees and others are able to access only the data resources they require to do their jobs.
- Encrypt all sensitive data while stored and while it travels through communication channels.
2. Perform Continual Risk Assessments
New medical technologies continue to advance the healthcare industry’s ability to treat patients. Robotic helpers, monitoring devices, and other innovations allow providers to map patients’ bodies for surgical visualization; use robotic hands to perform less invasive, more-precise surgeries; and remotely track blood glucose levels in diabetes patients. However, they also pose added security risks.
Risk assessments play a critical role in managing threats to every aspect of healthcare vulnerable to cyberthreats. Healthcare risk assessments help hospitals, clinics, and doctor’s offices identify where they’re vulnerable to cyberattacks. More specifically, these assessments allow them to:
- Locate potential threats from within and without an organization
- Estimate the damage such threats could inflict if exploited
- Measure the likelihood of an attack
Performing ongoing risk assessments can help ensure data security in healthcare. Ultimately, risk assessments allow organizations to act preemptively to prevent security breaches, stop network and system shutdowns, and circumvent other security incidents. This can save money and help protect patients’ health. Risk assessments, which HIPAA regulations require, allow organizations to understand their weaknesses and vulnerabilities so that they can make strategic investments to protect themselves.
Keep in mind the following tips when planning and performing risk assessments:
- Conduct a data inventory to create a complete directory of all the data resources stored on the network, and confirm that the data has been classified with the appropriate level of protection.
- Run vulnerability tests continually to identify weak points in the network’s security as they occur.
- Extend the risk assessments to third-party networks that connect to the organization’s information systems whenever possible.
- Understand the steps required to comply with government regulations pertaining to healthcare data protections, including HIPAA and payment card industry (PCI) security standards, among other data security regulations.
3. Educate Users About Their Important Role as the First Line of Defense
Cybersecurity experts repeatedly warn that users are the weak link in keeping computer systems secure. Without awareness and education, healthcare staff can unwittingly open malicious emails, expose computer systems to viruses, or leave sensitive information unsecured. For this reason, all healthcare organizations should invest in employee training for cybersecurity healthcare.
Consider a report about the dangers of not training healthcare staff in cybersecurity best practices published in the “Journal of the American Medical Association.” Researchers simulated malicious phishing campaigns, sending out millions of emails to healthcare employees. They found that 14% of employees opened the emails, but in subsequent campaigns, those numbers dropped. This suggests that increasing people’s awareness about dangers can help them make more secure decisions.
Would-be hackers count on end-user mistakes. In fact, a new Proofpoint report suggests that for 99% percent of cyberattacks to be executed, users must take some sort of action: follow a link, open an email, download a file. It takes significantly little effort for a hacker to send fraudulent emails or upload infected files to cloud applications, which is why they often make users their initial targets.
Despite the initial investment in employee training for cybersecurity healthcare, organizations come out winning in the end. For example, according to data studied by Gartner, users without training click on 90% of links in emails coming from addresses outside of an organization. Gartner analysts estimate that the resulting infections lead to 15,000 lost work hours yearly. After training, only 30% of users open the links, leading to a 40% reduction in lost work hours.
When devising training programs, keep the following tips in mind:
- Train employees to identify emails that attempt to trick them into clicking on a link or performing some other action that infects the network with a virus (aka phishing attempts).
- Teach workers how to spot other social engineering techniques that cybercriminals use to plant ransomware in healthcare networks and commit other crimes.
- Focus employee training on security policies designed to reduce human errors, and educate employees to recognize the techniques that cybercriminals rely on to breach healthcare systems and plant ransomware and other malware.
Lead by example in learning and consistently practicing the security best practices established by an organization.
4. Prepare for Attacks and Breaches with a Rock-Solid Backup and Recovery Plan
Healthcare organizations collect and store highly sensitive information, from medical research to patient records. Theft, exposure, or destruction of this data can have devastating consequences, such as setbacks to finding cures to diseases or stolen patient identities. Additionally, security incidents, such as ransomware attacks, can paralyze healthcare organizations and jeopardize patients’ health.
Planning for worst-case scenarios allows healthcare organizations to effectively limit the potential damage of security incidents. Data backup and recovery in healthcare are critical to the process. For example, the damage caused by the 2017 WannaCry ransomware attack against Britain’s National Health Service (NHS), which all but shut down the system and resulted in 19,000 canceled appointments, could have been mitigated if the NHS kept an up-to-date recovery plan.
HIPAA regulations mandate that healthcare organizations have comprehensive:
- Data backup plans
- Disaster recovery plans
- Emergency mode operation plans
Data backup plans ensure that even in an emergency, healthcare providers can access the needed information to care for patients. Organizations can’t store information in one location. They must use backup networks or the cloud, for example, to guarantee data remains uncompromised and available.
When developing comprehensive contingency plans to manage cyberattacks, keep the following in mind:
- Use off-site data backups to protect against natural disasters as well as cyberattacks and data breaches.
- Keep all applications and systems current by applying the latest patches and upgrades as soon as they become available.
- Understand that backups stored on network shares that aren’t mapped as network drives are still vulnerable to a ransomware attack on healthcare information systems if workstations can access the shares.
- Ensure that the organization’s data backups can be fully restored quickly in the event of a breach or ransomware attack.
5. Adopt a Zero-Trust Security Model
Cyberthreats can come from anywhere. They can also move within a network, so why should organizations’ systems ever grant automatic trust? The concept behind zero-trust security models suggests they shouldn’t.
Zero-trust security models are based on the idea that everything, whether it’s coming from within or outside of an organization, requires verification before being allowed to connect to an organization’s system. This approach cuts off access to Internet Protocol (IP) addresses, devices, and equipment until identities are authenticated and use is authorized.
The growing use of the Internet of Medical Things (IoMT), applications, and services in the healthcare industry make it nearly impossible for security teams to have full visibility of all the data packets moving through an organization’s network. However, by stopping applications or services for verification, the zero-trust model helps networking teams understand what’s on their networks and what wants to get in. This allows them to better assess risks and locate malicious activity.
Cybersecurity experts say zero-trust models deliver the best security. Why? Today’s organizations don’t have contained systems. Instead they have staff, patients, and partners accessing their systems from different locations and devices. Zero-trust models account for this open structure. They use tools such as multifactor authentication, encryption, and analytics to evaluate the security of a request for access, and then only provide the bare minimum access needed to accomplish the task at hand. When setting up zero-trust models, keep the following in mind:
- Understand that it’s impossible to anticipate and prevent all inside threats or to ensure that third parties an organization partners with will not be the source of an attack on the healthcare institution’s data networks.
- Acknowledge that the perimeter-based security model for healthcare providers can’t accommodate the protection required for the IoMT, robotic health assistants, augmented reality, and advanced persistent threats (APTs). In addition to the protections described above, healthcare organizations must implement continuous risk assessment that responds immediately as new threats arise and security priorities change.
- Prepare for a growing share of an organization’s data assets residing in the cloud, which requires protecting cloud-based workloads and applications that are accessed from mobile devices and remote locations.
- Investigate the use of automation and artificial intelligence (AI) to secure a healthcare organization’s sensitive data, because it’s distributed more broadly across ever-expanding networks.
Combining Health and Business
Healthcare administration leaders must tackle many challenges to ensure their organizations run smoothly. They shape their organizations in key ways, doing everything from establishing data security in healthcare to managing healthcare systems and governance. This range of responsibilities requires comprehensive knowledge and skills.
AdventHealth University Online offers a dual degree program that cultivates the expertise healthcare administration leaders need. By combining the science of health with the world of business, AdventHealth University Online empowers graduates to thrive as healthcare administrators. Explore how earning an online Master of Healthcare Administration in Strategy and Innovation and Master of Business Administration (MHA/MBA) dual degree helps aspiring healthcare administration leaders pursue their professional goals.