Cybersecurity finally becoming healthcare priority

When it comes to investing in IT and data security, the healthcare field has been known to lag behind other business sectors. That underspending, coupled with the massive shift from paper to digital records in recent years, has put the industry in some crosshairs.

Protected healthcare information (PHI) is being targeted for theft because in many cases it is easier to steal than credit card data or financial records, for example, and healthcare records are much more valuable as well.

Related: Tips to improve cyber security and protect your practice's finances

“Electronic health records (EHRs) include the personal, family, and billing information of their patients,” explains Dylan Sachs, director of identity theft services at BrandProtect, a company focused on detecting, analyzing and mitigating online incidents and cyber attacks. “They are virtually complete personal identity portfolios.”

On the black market, stolen health records command the highest premium, he adds, because the contents of EHRs provide cyber criminals with everything needed to wreak financial havoc by applying for credit cards or mortgages in another person’s name or even submitting tax returns.

Because protecting patients’ information is one of those thankless tasks that doesn’t directly impact patient care or payment for healthcare services, it can be easy to ignore, points out Steve Spearman, HCISPP, vice president of HIPAA compliance services at Healthicity, which provides auditing, compliance and analytics services for healthcare organizations.

Further reading: Top 7 reasons physicians should consider telemedicine

But with the growing number of breaches and hacking attacks plaguing the industry, practices that ignore this ongoing threat do so at their own peril.  

Next: Dissecting the study's findings

Survey Findings

According to the 2016 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey, most health executives (87% of acute providers and 81% of non-acute providers) are elevating data security as a business priority.

When asked about the greatest vulnerabilities in terms of healthcare information, the biggest area of agreement from both acute and non-acute providers is email, followed by the growth in use of mobile devices and the internet of things (IoT) – the ever-growing network of physical objects connected to the internet.

“This (IoT) is going to be a really big deal as more and more devices show up on the internet within organizations,” says Rod Piechowski, MA, senior director of health information systems at HIMSS. “We’re talking about everything from industrial control devices to actual medical devices and tools within the organization.”

“Of course you get exponential growth in risk when you get more and more devices on a network,” he adds. “I think people are very aware of that and are rightfully paying attention to what’s coming down the line.”

The HIMSS survey findings also revealed that some of the most feared future threats include advanced persistent threat attacks and phishing attacks, but the largest perceived threat of all is ransomware.

Unlike data thefts, ransomware has the potential to completely shut down operations, explains Spearman. Hackers encrypt the data used to run key systems, and demand payment to recover it.

Next: Motivations and barriers

Motivators and Barriers

Based on the survey results, there are several big factors driving providers toward paying greater attention to cybersecurity.

In the proactive category, internal risk assessments are helping change behavior. These assessments are revealing increased threats and people are acting on that, says Piechowski, and that’s a positive development. In the reactive realm, on the other hand, the two key motivations relate to phishing attacks and viruses/malware.

Related: EHR-enabled fraud remains a concern

Despite desires to enhance cybersecurity efforts, there are a variety of barriers that make it difficult to do so, including a lack of appropriate cybersecurity personnel, a lack of financial resources, and an overwhelming number of emerging threats.

Action Steps

While there’s no “one size fits all” solution to cyber threats, from Piechowski’s vantage point, overall awareness is one of the most crucial tools needed to better protect information.

Related: New PSWP narrows providers' definition of privileged information

“One of the main things you can do to avoid a lot of this is by having an organization that is aware of the threat and an organization in which security is seen as everyone’s responsibility and not just the information technology department,” he says.

Next: “Most people want to obey the rules"

Phil Richards agrees. The chief security officer at LANDESK – provider of an end-to-end service management solution for mobile, cloud, and personal computing environments – recommends educating staff members using general security awareness training.

“Most people want to obey the rules,” he notes. “By providing training, you are using your staff as agents to help address the problems.”

Further reading: How to harness the power of patient-generated data

Encrypting data is another crucial step. Doing so on hard drives, laptops, workstations and USB drives helps reduce theft and loss, he adds, and a lost or stolen asset does not compromise the PHI data stored on it. 

Paul Nicolaus is a Wisconsin-based freelance writer. Send comments, questions, or story ideas to nicolauswriting@gmail.com, or learn more at www.nicolauswriting.com.