According to HIPPAJournal.com, there were 2,181 healthcare data breaches between 2009 and 2017 that each involved at least 500 records. Those breaches resulted in the theft or exposure of more than 176 million healthcare records, which is roughly half the entire American population.
Healthcare data breaches are now reported at a rate of more than one per day. 2015 was particularly disastrous for healthcare data systems: 100,000,000 out of 176 million medical records were stolen, thereby exposing major vulnerabilities within the industry. A 2017 survey found that 92 percent of healthcare organizations planned to increase their technology spending on cybersecurity. With this renewed investment in healthcare IT, the future looked bright for patient security, but 2017 saw the highest number of breaches to date.
Clearly, there are still major roadblocks to be overcome, so let’s take a closer look at some of them.
Adoption of Big Data
In the healthcare industry, big data can assist with improving patient outcomes and creating a better understanding of the clinical services in demand in certain areas, which could ultimately lead to more successful payer performance. With this potential for improvement within reach, healthcare facilities have begun to push for more data and more analysis of that data.
However, the adoption of big data in health care significantly increases security and patient privacy concerns. First of all, patient information is stored in data centers with varying levels of security. While most healthcare data centers have HIPAA certification, that certification does not guarantee patient record safety. This is because HIPAA is much more focused on ensuring that security policies and procedures are in place rather than their implementation.
One major decision concerns whether a facility’s data will be stored locally (on-premises) or in the cloud through a third-party provider. A local network offers security advantages such as greater control and manual isolation from the internet in an emergency. However, patching can be a slow and burdensome process, and you could still be vulnerable to attacks until the patching process is complete.
Cloud-based storage allows customers to rely on their provider to quickly and efficiently deploy security patches. Mark Hurd, CEO of Oracle, thinks the cloud is the way to go. “You get innovation straight away from the industry,” he said. “There’s very little incremental cost, if any. The burden of patching is on the vendor, not the customer.” By relocating data to the cloud, your IT team can focus on monitoring users and daily activity rather than on writing and deploying security patches.
Healthcare organizations are attempting to become more and more connected and in tune with their patients. Connected medical devices and accompanying smartphone applications allow healthcare providers the opportunity to offer new and improved services to their patient populations.
However, with the availability of so many health and wellness programs on mobile devices, hospitals and clinical practices need to be aware of the threat of security breaches and the hacking of health data that can happen through those devices. Doctors, nurses and hospital staff use tablets and mobile devices in addition to patients and visitors, which means hackers could have access to entry points on both sides of the security “wall.”
There are many decisions that need to be made. IT teams and healthcare administrators need to collaborate to discuss where the data will be stored and how best to protect that system. They also need to establish how to protect the data while in transit to its storage location and whether to store it in an on-premises data center or a third-party cloud network. The team should determine how to limit access to that data both internally and externally, how to monitor vulnerabilities in the devices that do have access, how to deal with attacks and threats and how the device will be updated and patched.
Insider Breaches and Employee Mistakes
All data has value. Unfortunately, where there is something of value, there will inevitably be people who want to steal it. Verizon’s 2018 cyber cecurity report found that 28 percent of all data breaches come from the inside. There are people who will work toward gaining employment at offices and hospitals for the sole purpose of stealing the data to which they are granted access.
These people can use stolen patient data to open credit cards, steal money directly or even commit tax fraud. If they can obtain a large enough data set, they can also sell it to the highest bidder for big money. Thorough background checks during the hiring phase are key to preventing inside attacks. Also, be sure to also audit all devices used by staff that connects to the office’s network.
We need to also keep in mind that it’s not always people with malicious intent who do harmful things that compromise healthcare security. Sometimes people simply make mistakes. Misplacing a patient’s chart or allowing a security system to underperform can be costly. These attacks also can happen when old computers are discarded without first wiping the patient information it contains. For these reasons, training and re-training on security protocol is incredibly important in the healthcare field. Do your best to establish a culture of security to avoid mistakes and prevent potential thieves from taking what they want.
There are so many possible issues and threats when discussing data security within the healthcare industry that it can easily become overwhelming for those already in the industry or those who are looking to join. Staying ahead of the three largest threats to healthcare data security should help to cut through the noise and focus on the most pressing matters. Once you have a solid foundation for your workplace security, the rest should fall into place.