Preventing A Hospital Data Breach
Dawn Pascale
If you think that cybercriminals are only interested in hijacking credit card data from big retailers or taking down government websites, think again. And, if you think the only option to stop these evil wrongdoers exists exclusively in the pages of Marvel Comics, you are mistaken.
Because healthcare is highly regulated and responsible for handling people’s most sensitive information, you’d be forgiven if you believe the industry does a better job of protecting its data from hackers than other sectors. Unfortunately, it doesn’t. In fact, the truth is probably more alarming than you could have imagined.
Respondents to the 2014 PricewaterhouseCoopers (PwC) US State of Cybercrime Survey reported that the unintentional exposure of private or sensitive data in healthcare was the highest of any industry. In fact, it was much, much higher. The theft of personal information was 83 percent more common in hospitals and other health systems than in any of the other industries surveyed, which included banking and finance, government, information/telecom, and insurance.
Ninety percent of the healthcare respondents in a 2014 Ponemon Institute survey had at least one data breach in the previous two years. Thirty-eight percent reported five or more incidents. Last year, Community Health Systems, which operates 206 hospitals across the US, suffered a breach that resulted in the theft of data from 4.5 million patients. The stolen information included names, Social Security numbers, physical addresses, and telephone numbers.
The reason cited for most of the healthcare breaches was “insider negligence.” That negligence may include everything from insufficient passwords—those that don’t contain enough letters, numbers, and symbols or aren’t long enough—to employee theft. In fact, it’s estimated that “malicious insiders” are responsible for one quarter of all hospital data breaches, 92 percent of which go undetected. With these staggering statistics, you may start to think it may take something faster than a speeding bullet or more powerful than a locomotive to stop these cybercriminals.
Because private health information (PHI) can be a virtual mother lode for hackers, security experts recommend the following first steps to lock down your data:
Monitor and audit staff. The lack of security awareness among your employees is your biggest risk and the hardest to remediate. Coady advises healthcare CIOs to implement controls that manage staff identity and data access; for instance, providing users with different access rights depending on their position in the hospital. He also suggests organizations perform biannual audits to make sure everyone in the system has the correct access. CIOs need to implement a plan to educate and re-educate their employees on HIPPA regulations.
Inoculate your data. With the rapid implementation of EHRs, hospitals have had to deal with a literal data overload in recent years. Patients often cite privacy as one of their main concerns when it comes to digitized health records, so there’s no excuse for hospitals not to know where—and on which servers—valuable information is stored. Also, insist on encryption of data on all portable devices. From 2009 to present, the loss or theft of unencrypted portable devices have made up over a third of the all large breach incidents and impacted over 50 percent of all health records put at risk.
Perform penetration tests. In an article for Hospitals & Health Networks, the trade publication of the American Hospital Association, Linda Fletcher, an information security officer with Indiana-based Franciscan Alliance, suggests hospitals employ a proactive strategy of hiring so-called “white hat hackers” to test system vulnerabilities “before bad actors wreak havoc.” According to a 2014 report by the Pew Research Center, cyber-attacks on countries and corporations are likely to increase in the next decade.
Scrutinize vendors. Third-party vendors with access to hospital data can often simply “walk away” with valuable information if you’re not paying attention. In an article for Becker’s Health IT and CIO Review, Alison Brunelle, a cyber-risk specialist at Deloitte & Touche, says hospitals should be “very explicit when it comes to drafting business associate contracts.” Not only should outside vendors be held to the same high standards as employees, she says, hospitals should reserve and exercise the right to audit them as well.
At the end of the day, your ultimate goal is to create a culture of breach-prevention within the organization. Once this belief is established, employees will begin to view data security as their responsibility; not just another useless organizational policy. Fortunately, more and more healthcare CIOs are getting the message about the importance of securing sensitive data. Although the 38 percent of hospitals in the aforementioned Ponemon report with five or more breaches may sound frightening, the number was down from 45 percent in the previous survey. While fending off cybercriminals may seem like a task reserved only for a superhuman caped crusader, a little due diligence can actually go a long way toward protecting your data—and your business.