Cyberattacks and data breaches are among the most prominent threats to businesses around the world – and the healthcare sector is no different.
Healthcare providers are often specific targets for hackers and cybercriminals, as the wealth of patient data they hold can be highly lucrative. Criminals use ransomware attacks to hold patient information hostage, attempting to force healthcare providers to pay for the return of personal data.
IBM’s Cost of a Data Breach Report lists healthcare organisations as those most financially impacted by data breaches: in 2021, they suffered the highest costs for the 11th consecutive year. With the average cost of a healthcare data breach at $9.23 million, and an increase of 185% in medical data breaches compared to the previous year, they not only pose a mammoth security risk but cause significant financial damage.
Healthcare leaders are under pressure to eliminate and mitigate vulnerabilities to ensure that organisations remain secure and compliant. What exactly does this mean for leadership teams, what should be considered, and what actions must be taken?
Health services create, and store a vast amount of data – the volume of which continues to accumulate rapidly. By its very nature, health data exists within a patient’s most intimate sphere; any unauthorised disclosure or dissemination can lead to both discrimination and a violation of a person’s fundamental rights. As such, electronic health records (EHR) and other forms of healthcare information warrant special protection.
The Health Insurance Portability and Accountability Act (HIPAA) dictates that any organisation or individual that regularly handles PHI is categorised as a covered entity. These entities must adhere to the HIPAA regulation’s rules regarding privacy and security.
There are a variety of data types that are highly vulnerable to, and must be protected from, healthcare data breaches:
- Patient data and protected health information (PHI) include names, addresses, photographs and biometric IDs.
- Stored data, such as payment and medical records.
- Payer and provider employee data.
- Data in container environments is used when hospitals wish to share some – but not all – patient information with third-party services.
- Data connected to both wired and wireless Internet of Things medical devices, such as glucose monitors, heart rate monitors and connected inhalers.
Adequate health information technology – reinforced by established, best-practice processes – must protect data across IT resources, medical devices, legacy systems, apps and other frontiers.
With many healthcare providers stretched to their limits, hospital IT systems and other technologies have never been more important in the bid to uphold security and confidentiality.
HIPAA’s Security Rule calls for measures that restrict unauthorised access to PHI. Providers must take action against threats, including the implementation of technical, administrative, and physical safeguards. Healthcare organisations must evaluate their capabilities, undertake risk assessments and the likelihood of breaches, and outline clear actions to combat malware, phishing and other cybersecurity attacks.
HIPAA does not specify the methods and types of technologies to be used. However, there are numerous examples of ways in which providers can take measures to protect against data protection and cyber incidents:
- Role-based access control. Access to sensitive information, such as healthcare records, should be granted on a ‘need-to-know’ basis. It is up to IT administrators to assign employees and users permissions based on their roles and requirements. Within healthcare, user-specific roles can provide access to only the data which is necessary for an individual to fulfil their responsibilities – for example, dispensing medication, providing administrative support, requesting procedures or investigations, clinical data prescribing, and so on. Access control is critical for strengthening IT infrastructure and for tackling cybercrime and data breaches.
- Educating healthcare workers to avoid potential security incidents. All employees should receive appropriate training and support to confidently deal with, and report, security issues. Some of the safety measures may seem obvious – not clicking on unknown links, creating strong passwords, not opening mail from unsafe senders or installing unknown or untested software – but they nevertheless present common ways that hackers operate. Every trained, proactive member of staff makes it harder for cybercrime to occur.
- Vulnerability assessment and penetration testing. Cybercrime often takes advantage of unpatched vulnerabilities in the IT infrastructure and technology of health services. It’s critical for IT professionals to regularly update security patches and carry out routine testing to assess vulnerability and penetration status and to check robustness. Any weaknesses can then be addressed in order to preserve and defend patient records and other information at risk of data insecurity.
- Back-up storage and restoration. This measure includes establishing seamless back-up, storage and restoration tools to minimise damage from cyberattacks, especially ransomware. These aspects of IT security should be closely and routinely monitored, with regular checks to ensure there are no errors.
- Enabling Multi-Factor Authentication (MFA). MFA is an authentication tool that enables employees and other users to access systems. The multiple facets of protection it offers – by asking users to undergo two or more identification or verification steps – is proven to decrease the chances of a successful cyber breach. This also ties into creating strong passwords and changing them regularly.
Leaders must conduct a comprehensive inventory of all relevant elements within their healthcare environments to mitigate and minimise data vulnerabilities.
There are plenty of cyber-vigilant initiatives that health organisations can implement to help bolster compliance and security efforts. Any comprehensive vulnerability management programme should ensure that services are able to: swiftly identify and patch critical weaknesses; remain HIPAA-compliant to avoid fines, penalties and breaches; quantify risks and build them into a solid risk management plan, and isolate actions and insights and use them to minimise both internal and external risks.
For health organisations wishing to assess or upgrade their current systems and processes, there are numerous specialist cybersecurity companies – many who work specifically within the healthcare sector – who can identify vulnerabilities and minimise them with new technologies and approaches.
Discover how to prevent healthcare data breaches and uphold patient privacy with the University of the Commonwealth Caribbean’s online MBA Healthcare Management programme.
The MBA in Healthcare Management programme at UCC will develop the skills needed to advance into senior roles in healthcare – as well as help you gain in-depth insights into the workings of large, complex organisations. The combination of specialist healthcare and business expertise will make you highly valuable to employers, with knowledge encompassing leadership, strategy and decision-making, human resource management, finance, marketing, healthcare innovation, management and delivery, and more.