According to the 2018 Horizon Report, by Fortified Health Security, “over 40 percent of consumers would abandon or hesitate to use a health organization if it had been hacked”, and that “many healthcare organizations could not survive the financial ramifications associated with declining patient volume”.
Healthcare organizations are faced with a particularly complex challenge, to which there is no simple solution. On one hand, they are required to ensure that electronic health records are easily accessible to both patients and practitioners, and on the other hand they must protect this information from hackers and do so with the limited resources available to them. To make matters worse, the frequency of healthcare breaches continues to rise. In the last 12 months, we have seen a 25% increase in the number of entities impacted by a cyber-security breach.
Hacking remains the biggest cyber-security threat to the industry, followed by data theft and unauthorized access/disclosure of sensitive patient data. The above report cites that “the fundamentals of security and risk management are usually missing”. Having a well-documented set of policies and procedures in place that are closely adhered to by all staff members is “at the heart of a strong security and risk management program”.
It goes without saying that in order to protect your sensitive data, you must know exactly where your data resides. According to the report, healthcare organizations “lack concise assets inventories”. Locating and classifying sensitive patient information enables organizations to allocate resources more effectively. For example, any data classified as “restricted” would be subject to tighter security controls than data classified as “public”. While it is possible to discover and classify electronic health records manually, these days there are a number of tools available that can automatically locate and classify ePHI.
Another area where healthcare organizations tend to fall short is vulnerability management. After all, the infamous WannaCry ransomware attack of May 2017, was propagated through an exploit found in older versions of Windows – even though a patch was already made available. It is imperative that healthcare services providers focus on keeping their software up-to-date to prevent such attacks from reoccurring.
How Should Healthcare Organizations Proceed
Well, the good news is that regulations such as the Health Insurance Portability and Accountability Act (HIPAA), provides a data security framework for organizations to work from. The bad news is that most healthcare organizations are not really adhering to the compliance requirements – even though a failure to comply with HIPAA can result in legal action and hefty fines. They often fail to implement an adequately robust data protection policy, and even when they do, it is rarely maintained. Service provides often fail to provide staff members with the training they need to identify hazardous data processing practices, and they tend to be very slow at seeking outside assistance.
While it is true that healthcare organizations need to focus more on the fundamental aspects of data security as opposed to messing around with complex technologies, satisfying the HIPAA compliance requirements can be made a lot easier with the right technologies in place. To comply with HIPAA, organizations must be able to audit all access to the protected health information they hold. Likewise, they will need to be able to provide evidence of such audits to the supervisory authorities.