Cybersecurity is an increasingly challenging issue for healthcare providers and partners. It always has been, but now during this pandemic, the strain on health services around the world is having a particularly challenging impact on data security. Read on, and find out more about Cybersecurity in Healthcare and how to keep patient health data safe.
According to Black Book Research, the Covid-19 pandemic is likely to have a devastating impact on healthcare IT security in 2021 and beyond. It’s predicted that cyberattacks will “triple in 2021”, with “Seventy-three percent of a health system, hospital and physician organizations . . . unprepared to respond to cyberattacks.”
One serious challenge, besides more patients than ever requiring medical care, is that 90 percent of employees working from home haven’t received any extra training or support to keep patient data safe and compliant with regulations. Healthcare, partner and vendor organizations are completely unprepared for the new strains on systems alongside staff working from home.
The majority — 80 percent — of healthcare organizations haven’t performed any cybersecurity incident drills for years, despite the increasing number of attacks. This is despite cybersecurity attacks being four times (4x) more likely against the healthcare sector than any other, according to the Black Book report.
According to Ponemon Institute research, “89% [healthcare organizations and vendors and other organizations that handle patient data] have experienced a healthcare data breach, and a full 50% of those breaches are attributable to criminal attacks.” Although many of these affected less than 500 patient records, the average cost of attacks was over $2.2 million, in 2014 – 2015, which means with larger attacks, the cost of cybercrime has increased.
US Healthcare organizations operate in a strict regulatory environment, known as HIPAA. This stands for Health Insurance Portability and Accountability Act (HIPAA), which sets the standard for creating, using, storing, and handling electronic patient data. Let’s look at what this means and how it impacts the whole healthcare sector in the U.S.
HIPPA privacy and security for healthcare providers
HIPPA doesn’t mandate healthcare organizations to use certain technologies or encryption or security protocols. Instead, HIPPA outlines and focuses on what needs to be done to achieve the highest level of patient data and security goals to keep patient data as safe as possible.
There are two key components to HIPPA data security:
- HIPPA Security Rules: Every HIPAA-covered organization, which often includes vendors and partners in the healthcare sector, needs to take steps to safeguard the creation, use, receipt, and maintenance of electronic patient health data. These guidelines cover the physical, administrative and technical handling and management of health data and information from patients.
- HIPPA Privacy Rules: Patient privacy and consent is an essential part of HIPAA regulations. The privacy of personal health information, including insurance, medical, and over records is paramount. Privacy Rules cover what HIPAA-covered organizations can do with this data, how information can be used, and what can be disclosed with or without the patient’s consent.
Next, we are going to look at how patient data can be kept safe from cyberattacks, and remain HIPAA compliant.
Steps to keep Patient Health Data safe from cyberattacks
1. Implement access control
To ensure compliance, and keep patient and sensitive data safe, you need to ensure only those who need access should have it. One of the most effective ways to achieve this is using access control, monitoring, and multi-factor access control options such as PIN codes, passcodes, physical tokens, and even biometric access controls.
2. Educate staff on data security
Staff, including those in partner organizations, and especially those working from home, need to be educated in data security. Everyone needs to be aware of the risks, especially as those risks evolve, and what to watch out for. As threats evolve, education, awareness and the actions staff take when creating, handling and sharing data need to evolve too.
Ensure there are continuous data security education programs in place, to protect staff, patient data, and the entire organization.
3 Automated security monitoring
Every single work device, or personal device where staff access patient data through a VPN, should be monitored to ensure security is maintained. All it takes is one download, one piece of malware or another malicious virus let loose to cause serious problems. With access controls and monitoring, the first sign of risky or malicious data activity could be spotted and blocked in real-time to prevent cyberattacks.
4. Encrypt data
Patient, personal and sensitive data should only be transmitted in encrypted form. Storing or transmitting unencrypted data is an unnecessary risk and there is no excuse these days when sufficient technology exists to avoid such activity.
5. Secure mobile devices
Increasingly, whether in hospitals and care facilities or when working from home, staff in this sector are using mobile devices that may not be secured and could expose patient data. When staff are using work devices, more options exist to harden and secure them. It’s recommended to use MDM (Mobile Device Management) for implementing policies on devices such as enforcing device encryption, password policies, and lockout policies.
These are only initial recommendations to get started. A comprehensive security strategy should be put in place to secure stored data, transmitted data, and devices throughout the environment.
Contact us to learn more about how our AppWell.Health Cybersecurity advisory team can help your organization improve security, improve patient health data privacy, and help build a strategic security roadmap.