Suspicious activity on your bank account? You can count on most financial institutions to let you know right away. Some banks even go as far as to send lists of transactions, without prompting, just to make sure all is well.
When examining your EHR cybersecurity strategy, can you say you adhere to a same level of patient-first vigilance?
The above comparison highlights a valid point that can be applied to healthcare security. When it comes to preventive measures designed to protect customer data, healthcare organizations are generally lagging. Various reports, surveys, and studies have hammered home this fact. Where most industries are investing in proactive measures to battle cybercrime, healthcare is still relying on knee-jerk reactions.
This isn’t to say hospitals need to notify patients of every instance something suspicious happens with their personal information. For example, a prescription for a controlled substance filled out in their name may not rise to this level, depending upon the circumstances. At a minimum, however, IT staff should have tools at their disposal that provide a heightened level awareness.
To ensure a patient's vital information remains secure and to avoid the high costs of an EHR breach, hospitals need to be proactive. Take a moment to look over these high-level tips and compare them against your current security strategies.
Apart from the preventative measures required by the government of healthcare facilities, under HIPAA Security Rules (which is the minimum and does not guarantee security), there are other proactive steps a hospital can take to arm their data defenses.
A data security report from Baker Hostetler revealed that email phishing schemes, inadvertent disclosures, and lost/stolen devices accounted for 62% of incidents causes. All of these have their root in conduct of people.
You can patch a server, but you can’t patch a person. The closest thing you can get to a human patch is regular security training and policies that cover physical and digital security awareness.
• Think before you click – Educate staff on how to identify email scams
• Use multi-factor authentication – use at least two of the following categories, something they: Have, Are, and Know
• Lay out strict policies for PHI, medical and mobile work devices
• Consistently communicate the impact and value of security
• Test with benign phishing attacks and see who may need additional training
Complacency in upgrades or updates in technology can lead to new opportunities for hackers to get into the system when you least expect it. Therefore, it’s important to not only keep your system updated, but to also have a multi-step approach of barriers around your “castle.” Technology used to keep your EHR network secure often falls into layers – physical, logical and access controls. If one defense fails, having multiple security layers like these helps prevent a full breach.
Physical – Security Cameras and Key Cards
• These are tangible objects meant to limit physical access to your network via a stolen laptop or unauthorized entry into a secure area within the facility.
Logical – Antivirus Programs, Nextgen Firewall, Segmentation of Network Assets
• A good rule to follow when it comes to choosing antivirus software: The solution is only as good as the vendor who develops it. Look for a vendor who regularly updates their software with the latest definitions in real-time.
• These systems go a step beyond your typical firewall blacklist. Functionalities include, but are not limited to:
a. Use of real-time analytics to detect signatures from known bad sites.
b. Direct connections to larger global network of firewalls.
c. Machine learning to identify and isolate atypical network behavior and shut off access.
• Strive for proper web architecture when placing applications on the internet. Web servers should not be accessible through the internet and should employ reverse proxies.
Access – Rule of thumb
• Use the “Minimum Necessary Rule” – users only need the minimum necessary access to do their job function.
• Not everyone needs access to the file shares or database where PII and PHI are stored. Limit this access to only certain named individuals.
For a more in depth look about cybersecurity check out our eBook in our resource center.
Similar to the ongoing testing required by non-IT staff, the IT team should be held to a higher level of accountability for ensuring system security.
As part of your incident response plan, run regular table-top exercises to simulate a breach. In addition, hire an outside team or consultants to look for and expose vulnerabilities in your network security. Have a clear and concise communication plan in place for when issues arise that addresses pertinent information for you executives.
Tired of hearing, “Ugh, more security training...?”, “Updating endpoint software. Who has time?”, or “Hiring a team? Sounds expensive!”-we hear you. Fortunately, there is a compelling explanation to counter this objection: The cost of a data breach could infect, if not financially cripple, your healthcare facility.
A breach of your data center can cost you, to the tune of millions of dollars spent towards fines and fees, millions of hours spent towards recovery, and a large population of unhappy patients.
From 2009 to 2016 the number of healthcare data breaches of over 500 records increased from 18 to 329-a 1728% increase! Absurd is an understatement. The reality is that patient health information is a hot commodity that has been silently stolen creating financial and potentially life-altering harm to the lives of patients who depend on healthcare to survive. Do you know how much your patient’s health record is worth?
A 2018 report from Ponemon Institute showed that from 2015 to 2017 the total cost per stolen health record rose from $363 to $380, the highest cost of the 16 industries examined—that’s terrifying for every level of healthcare leadership from CIO to CFO.
In fact, most hackers have all the time in the world to get at your system. Your staff doesn’t have that same luxury when it comes to network protection. On top of security, your IT team must also worry about system efficiency and regular maintenance.
Hospitals do great when it comes to defending against health threats. Defending against cybercrime is another matter, especially for smaller hospitals. Serious consideration should be given to EHR security investments, how they impact IT staff, and what it could mean for business.
When it comes to protecting your patient data, a rock-solid defense against the dark web is a worthwhile investment that comes with long term savings and helps support consistently high levels of patient-centered care. Learn more about how you can defend your EHR and get ahead of cybrecrime.