Privacy breaches are so frequent in healthcare, the sector has been cited as the most targeted by numerous studies. As the health IT continues to evolve, and facilities adopt more connected devices and integrate them into the existing system alongside legacy equipment often plagued by the lack of protection mechanisms, healthcare becomes the preferred target for many criminal entities.
According to industry sources, medical records of more than 155 million Americans have been exposed in nearly 1,500 data breaches over the last six years.
A data breach in healthcare is also quite expensive. According to Ponemon 2016 Cost of Data Breach report, the average cost per stolen health record is $355, which is twice the average cost of a stolen record in other industries. Another important finding of the report is the data breach detection time. The longer a breach remains undetected, the longer it takes to contain it and the more costly it becomes to resolve. On average, a breach detected in less than 100 days costs companies $3.23 million. Breaches detected past the 100-day period amount to an average of $4.38 million.
In 2016, 48% of all breaches involved a malicious attack, while 27% involved various IT and business process glitches and failure, 25% were caused by employee or contractor negligence.
The factors that were found contributing to the increase in the cost of a data breach are:
- extensive or poorly thought-through migration of data to the cloud
- a rush to notify
- lost and stolen devices
Among the factors that reduce the cost of data breaches, according to Ponemon, are:
- onboard incident response team (reduces the cost per health record stolen by $16)
- employee training
- participation in industry threat sharing initiatives
- business continuity management
While the industry is mainly focused on data breach prevention, the strategies to mitigate privacy breaches are sometimes neglected. When a hack occurs, work in the medical space continues, so methods are necessary for regaining privacy in order to continue operations and patient care.
Data encryption. Under current HIPAA and HITECH regulations, patient medical records and other confidential electronic data must be encrypted, or protected by alternative yet equal means of protection. Therefore, medical computers and mobile devices must support full disk encryption.
Data must be encrypted at rest and in transit. Internal chats, email, telemedicine and video conferencing are also channels funneling private patient data, as well as databases and EHR systems, IoT devices and legacy equipment with integrated medical computers. The intermediary and the enabler between a hospital’s software and hardware is the medical computer or tablet. It is of paramount importance for the devices used throughout the facility to support encryption.
Access controls. Wireless networks must be configured to allow visitors access the Internet without compromising the hospital’s internal network and limit their access. Do not neglect the problem of employee left or fired access not terminated (ELOFANT). When an employee leaves, his/her password and access must be terminated, their physical devices turned in unless they were BYOD. Active users must be scaled to have access privileges only to the information they need to do their job. A system where all employees have the same access privileges is no longer viable for healthcare. Your administrator must have a detailed log of user activity – who accesses what data, when, from which device and what they do with it. Such reports might be overwhelming, but their value for data detection and mitigation is high, especially when it comes to liabilities.
Timely software patches. Cloud computing alleviates some of the data protection pressure, but the physical devices must have the current software updates and patches installed. Wired devices, wireless, desktop computers and data centers need to be up-to-date with the latest version of software, backed by firewalls, antivirus and antimalware.
Advanced authentication. Users stick to weak passwords and often neglect two-factor authentication, leaving devices that contain confidential data in public areas, where they can be lost, stolen, or accessed by unauthorized individuals. Advanced authentication methods such as biometric readers, RFID, CAC or smart card readers alongside embedded privacy filter have brought undeniable advantages to end users and healthcare facilities:
- They make authorization easier for the end user. Users no longer have to memorize complex passwords and can focus on the direct task at hand – providing help.
- They allow for the medical computer/tablet to be used by patients for infotainment or left in public areas of the hospital without compromising the confidential data because it is locked to the authorized users only.
- They protect the sensitive data in the event of a device loss or theft.
- Medical professionals like single sign-on (SSO) systems that allow them to sign in to all of their applications fast, while ITs appreciate SSO because it allows them to change the passwords, or PINs, on the back end if need be, and it integrates well with two-step authentication. Biometric or smart card readers provide a fast and secure second layer of protection to SSO.
Assume stronger oversight of your equipment vendors. Demand accountability. Choose the vendors that commit to the same levels of compliance as the healthcare providers, and prioritize cybersecurity. Look for HIPAA and Imprivata SSO compliance in your medical computers, tablets, and software.
Consider cyber insurance policies and stay in the know of the legal issues, regulations and liabilities under HIPAA, HITECH, and other pertinent legal obligations.
Document your data loss prevention and mitigation efforts because when the data breach occurs, you will be asked to prove your facility has been compliant with the current regulations. Documenting your cybersecurity efforts properly will help you clear your organization of liabilities in the event of a data breach.
Enforce a better communication and cooperation between your CEO, CIO, IT department, compliance and risk assessment officers on data privacy. From selecting a medical device vendor to documenting the data protection policy and data breach response plan, the crucial departments of your facility must work in conjunction.
Engage personnel in cybersecurity, increase user awareness, enforce training. C-suite buy-in is critical to cybersecurity of any organization, and health care providers are no exception. Without the support and enforcement on the C-suite level, the end user will not change the attitude or quit poor data management habits.
Conduct audits, as required by meaningful use outlined by Medicare & Medicaid, to discover vulnerabilities and develop action plans.
Develop a breach response plan that includes reporting obligations and entities, media response plan, user notification plan, and other system-wide protocols.
Work on raising patient awareness, encourage personal device encryption, strong passwords, two-factor authentication, and recommend your patients to restrain from accessing their health records when using public Wi-Fi. Your stance on cybersecurity will help your organization preserve a good reputation and maintain patients’ trust.
Encryption and advanced authentication are two most urgent techniques organizations need to deploy to prevent and mitigate cyber attacks. Username/password method no longer provides adequate security; it is also a barrier to fast access to data and applications for medical professionals. Advanced authentication that relies on SSO and two-factor authentication via a smart card or biometric reader provide not only security but also a jolt of energy for organizations deploying them. An actionable breach response plan and properly documented actions will help organizations minimize the cost of a data breach and avoid liabilities. A joint effort of key decision-makers, legal, financial and IT, help organizations not only screen their vendors appropriately, but also instill a culture of compliance and strong data protection, and broadcast a positive image of a provider that has a strong grip over their patients’ privacy.
Cybernet has an extensive line of medical grade all in one PCs and medical tablets with advanced security features.