It is no secret that healthcare systems are one of the top targets for data breaches. According to a recent Health Information and Management Systems Society survey, more than half of hospital executives reported that their hospitals had been targeted by ransomware in the past year.
CRN reported that data breaches increased by more than 35% from 2015 to 2016. Last year, the medical sector ranked second in the percentage of breaches reported, and it was ranked highest for the number of records compromised at more than 113 million, according to an Identity Theft Resource Center (ITRC) report.
While there are many reasons for this—which we will cover—what really matters is how healthcare companies can better protect themselves and the millions of patients that they serve from data breaches.
Why more data breaches?
One of the main reasons the healthcare industry is susceptible to security breaches is the rapid implementation of Electronic Health Records (EHRs). The adoption of EHRs rose from less than 10% in 2009 to 97% by 2014. This rush of implementation resulted in a lag in sufficient security measures.
Speaking of rush, another factor that inhibits healthcare companies from aggressively pursuing data protection is related to the nature of healthcare providers’ work. In many cases, physicians require urgent access to patients’ healthcare records to quickly provide necessary care. Cybersecurity precautions such as encryption could slow down their patient response time. Additionally, since healthcare systems are inherently integrated, cybersecurity upgrades would require multiple costly software and hardware updates. Complicating the situation, most medical devices have a long development lifecycle and are subsequently infrequently upgraded.
With more and more data driven by the Internet of Things (IoT), healthcare providers must consider data protection for all connected devices leveraged by employees working both onsite and in the field. These devices create new entry points for attackers and opportunities for a deluge of data. And while we’re on the subject of employees, the second most common type of data breaches in 2015 was employee error/negligence, according to the ITRC.
Healthcare will remain a top target for hackers due to the desirable information that it holds, including names, addresses, payment and health insurance information, social security numbers and more. These records are likely comprised of much deeper demographics that can be leveraged for identity theft, fraud or for sale on the dark web.
What measures can healthcare companies take?
- Identify vulnerabilities. Healthcare organizations must embrace a defense-in-depth approach that includes multiple layers of protection. To create this plan, companies should assess their risk and identify the locations where the most critical information is stored and travels. This information should be protected with technology so that the data is directly secured as the last line of defense when it’s in use and at rest.
- Weave security into the company culture. Since employee error is one of the top causes of a data breach, it is imperative that companies establish a security-first culture starting from the top-down. Leadership should lead by example, establishing data security as one of the company’s core values. Leaders should also invest more of an organization’s information technology budgets into ongoing security awareness trainings. This education will engender a security-focused culture in which safe computing practices and habits become second-nature.
- Don’t forget about mobile devices. Healthcare providers rely heavily on mobile computing devices. Home care, remote outpatient clinicians and health insurance providers leverage these devices to access private data and to store this information when working in the field—sometimes without internet connectivity. To better secure information handled on these devices, organizations can utilize data protection that encrypts, shreds and securely stores data in real-time.
- A watchful eye on vendors. Third-party vendors, such as subcontractors and business associates, are also a major cause of data breaches. Healthcare companies must ensure that their vendors have the proper security measures in place. Continuous vendor management oversight will enable organizations to spot security gaps and address them before a breach occurs. Leaders should confirm that their vendors also encourage a security-first culture.
Data security is a need that will not go away. As technology continues to advance, so too will the resources available to next generation hackers and other entities involved in data theft. Healthcare organizations must accept that their data will become a target and that these threats could come from non-traditional sources, such as IoT, the cloud and other new innovations. Leaders must act now to protect their companies, patients and other stakeholders.
Ermis Sfakiyanudis is the co-founder and CEO of Trivalent.
Favorite