The path to protecting health data: 10 steps to get started
The information in your medical records can be more valuable than your credit card numbers to a cybercriminal.
Experts estimate healthcare data is 50 times more valuable to hackers than stolen credit card information. With access to names, home addresses, birth dates, policy numbers, diagnosis codes and billing information, cybercriminals can do real damage. They can create fake IDs to buy drugs, buy and resell expensive medical equipment, file false insurance claims in your name and much more.
While consumers/patients have some responsibility for using and securing high strength passwords, the healthcare industry also bears a burden to help ensure that patient information is protected.
The burden of protecting data falls largely on the healthcare industry. This is actually where the breakdown is happening. In August 2016 alone, the Office of Civil Rights reported more than 8.7 million electronic health records (EHRs) were exposed to hackers or stolen.
The path to protecting information starts with leadership, funding, reorganization, board buy-in and corporate culture. Hospitals and healthcare systems need prevention and treatment technologies, threat detection like email scanning, behavior analytics and remediation strategies.
Technology alone won’t solve for the growing risk of a cybersecurity breach. Doctors, nurses, technicians, lab workers, office staff and more must all play their part to keep patient data protected.
New technology, more devices, social media
Doctors live in the same world as we do. They text to make dinner plans, video chat with relatives in other states and snap-and-post a picture of anything memorable. The line between the world and hospitals is blurring, especially as more Millennial doctors appear on the scene. Doctors want, even expect, new tools and technology.
The number of medical devices in U.S. hospitals grew 62% from 1995 to 2010. In 2010, it was common to see 10-15 devices by a patient’s bed. That number is likely higher today. By 2014, at least 20% of medical devices connected back to a patient’s EHR.4 Many of those devices were, and still are, using outdated technology systems, making them vulnerable to attacks.
Along with more medical devices, there are also more mobile devices. Those pose a security concern too. Doctors may carry a personal phone and tablet in addition to their secured work devices. And chances are, they favor their personal device.
What if the doctor accesses the patient’s data on a personal tablet? The hacker has an immediate opening. Often personal and work apps coexist on the same device. The compromise of a personal app can lead to access to sensitive patient data. These apps can deploy malware into the hospital’s patient database, or just sniff for unencrypted data or passwords.
Many patients want to be able to text their doctors and doctors’ offices. Proper security and authentication must come first. And these are just some of the many ways we’re now open to attacks that did not exist a decade ago.
Protecting health data: Start a security overhaul
Many hospitals will need to make serious changes to defend against possible cyberattacks.
Here are 10 steps to get started:
1. Find areas of vulnerability. Work with a third-party to conduct an in-depth audit. Identify any areas of potential weakness.
2. Set up the right alarms and tools. Start using network and security tools that will quickly find issues and alert in the event of an attack. Look for products and services that control data flow with minimal disruptions.
3. Highly secure all devices. Try to make sure all parties’ devices are protected. Phones, computers, connected medical devices, etc. should all be included in a security plan.
4. Disconnect or protect old technology. Use encryption and authentication tools and protocols. Isolate medical devices that have outdated OS or security technology.
5. Analyze actions. Is a doctor, who was at the hospital today, appearing to try and access data from another country tonight? It may not be the doctor. User-behavior analytics tools can help stop cybercrimes.
6. Look at inbound and outbound traffic. Global analytics models help find threats directed toward, or even coming from, your hospital.
7. Test, test, test. Regularly check all systems for vulnerabilities.
8. Help employees be vigilant. Educate employees regularly and frequently.
9. Manage vendors and associates. Make sure their systems and communication tools are up to your standards. They can be a weak point, and you may be liable.
10. Prepare for the worst. Have a thorough breach response plan ready to go if needed.
Threats are constantly evolving. Tomorrow’s new technologies and trends will bring new vulnerabilities. Hospitals must be vigilant against cyberattacks.