As healthcare becomes more patient-driven, with greater emphasis on care outcome, technology is playing a major role in the recording and sharing of medical information – not just between providers but pharmacies, healthcare institutions, insurers and the government. Electronic health records, or EHR, are the center of the healthcare information boom, especially since Medicare and other government agencies are mandating its use, relieving medical and insurance offices of stacks of paper claims and overflowing cabinets of medical records folders.
While easing storage and sharing of information is a positive development for patients and providers, it has resulted in our expanding digital footprints as well as increased risk of theft from data miners and malicious hacking. Protecting medical and related data is much more complicated than just five years ago, according to Shields Health Group CIO Chuck Spurr. The good news is that the threats and vulnerabilities are finally being acknowledged and discussed by health organizations, but, as Bob Chaput of Clearwater Compliance believes, what is needed is a strategy to combat those threats and close the vulnerable loopholes.
In this white paper, we’ll examine the extent of the cyber security problems and learn what some organizations are doing to protect their healthcare data.
The problem: cyber security attacks put patient data and healthcare providers at risk
Until a few years ago, medical records were considered hacking’s second-tier. Now, it’s not just about gaining access to social security numbers but mining far more detailed medical information, as the rise of ransomware demonstrates.
With the rise in EHR also come cybersecurity issues – ransomware biggest headache. Data breaches occur when information is compromised, either deliberately through hacking, or from careless handling by the office and other staff with access, such as leaving a portable hard drive where it can be stolen or a laptop open with patient data exposed on screen. Currently (June 2017) ransomware protection is the top priority for health and life sciences industry nationwide, according to Intel.
Consider these eye-popping numbers:
Government regulations affect patient data security
The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules governing patient privacy and health records security by providers and other healthcare organizations. While most providers and others understand and follow these regulations, with the increase in government-mandated EHR, adhering to the HIPAA obligations is becoming increasingly challenging for many in the healthcare and life sciences industries.
Under these rules, if patient data is seen by someone not authorized to do so, federal law requires that physicians, hospitals, and other providers must give the patient notice of a “breach” in their information.
The Payment Card Industry Data Security Standards (PCI DSS), which protects payment (credit and debit) card security, are another compliance consideration as more patients use credit cards to pay medical bills.
With increasingly sophisticated malicious hacking attacks, it is obvious that cyber security can’t be achieved just be being compliant with federal guidelines: what else must health organizations do to protect their data?
Develop policies and guidelines for safely sharing and storing patient data
Have a cyber security expert evaluate your organization or office’s security readiness: only 59 % of providers have a security-readiness plan in place, with an industry average of 58% having ransomware readiness, leaving much room for improvement. In addition:
Train the medical office including reception, back-office, providers and anyone else using or able to access data, to be aware of potential breaches – according to cybersecurity experts, most breaches occur due to human error and carelessness, rather than technology failings. Many hackers are on the lookout for staff or other users to become careless and are quick to take advantage of lapses in vigilance.
A data breach has occurred – now what?
It is critical that healthcare organizations, whether as sole practitioners or large hospitals, take a proactive stance in preventing cyber attacks on their patient data. Bringing in cyber security IT experts in for an evaluation is the first necessary step, ensuring encryption and updating software and other protective measures, as well as including an organization’s staff in the planning and implementation of preventive measures.
Finally, have a response plan ready for when the inevitable happens to contain and minimize damage, as well as to notify patients, law enforcement, and other affected parties.