Improving healthcare EHR cybersecurity with IT

Cyber attacks against healthcare organizations are on the rise: this white paper offers proven ways to protect your organization and patients from ransomware attacks and other types of data theft.

Introduction

As healthcare becomes more patient-driven, with greater emphasis on care outcome, technology is playing a major role in the recording and sharing of medical information – not just between providers but pharmacies, healthcare institutions, insurers and the government. Electronic health records, or EHR, are the center of the healthcare information boom, especially since Medicare and other government agencies are mandating its use, relieving medical and insurance offices of stacks of paper claims and overflowing cabinets of medical records folders.

While easing storage and sharing of information is a positive development for patients and providers, it has resulted in our expanding digital footprints as well as increased risk of theft from data miners and malicious hacking. Protecting medical and related data is much more complicated than just five years ago, according to Shields Health Group CIO Chuck Spurr. The good news is that the threats and vulnerabilities are finally being acknowledged and discussed by health organizations, but, as Bob Chaput of Clearwater Compliance believes, what is needed is a strategy to combat those threats and close the vulnerable loopholes.

In this white paper, we’ll examine the extent of the cyber security problems and learn what some organizations are doing to protect their healthcare data.

The problem: cyber security attacks put patient data and healthcare providers at risk

Until a few years ago, medical records were considered hacking’s second-tier. Now, it’s not just about gaining access to social security numbers but mining far more detailed medical information, as the rise of ransomware demonstrates.

With the rise in EHR also come cybersecurity issues – ransomware biggest headache. Data breaches occur when information is compromised, either deliberately through hacking, or from careless handling by the office and other staff with access, such as leaving a portable hard drive where it can be stolen or a laptop open with patient data exposed on screen. Currently (June 2017) ransomware protection is the top priority for health and life sciences industry nationwide, according to Intel.

Consider these eye-popping numbers:

• Ransomware has shot up by nearly 5,000 percent in just two years, from 2015, to become a $1 billion criminal enterprise. That’s right – five thousand percent.
• Almost 90 percent of healthcare organizations have been breached within that same timeframe, with the average cost of over $4 million. As a result of this critical need, the healthcare security market is projected to reach $10.85 billion by 2022, according to data from Fortinet health.

Government regulations affect patient data security
The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules governing patient privacy and health records security by providers and other healthcare organizations. While most providers and others understand and follow these regulations, with the increase in government-mandated EHR, adhering to the HIPAA obligations is becoming increasingly challenging for many in the healthcare and life sciences industries.
Under these rules, if patient data is seen by someone not authorized to do so, federal law requires that physicians, hospitals, and other providers must give the patient notice of a “breach” in their information.

The Payment Card Industry Data Security Standards (PCI DSS), which protects payment (credit and debit) card security, are another compliance consideration as more patients use credit cards to pay medical bills.

With increasingly sophisticated malicious hacking attacks, it is obvious that cyber security can’t be achieved just be being compliant with federal guidelines: what else must health organizations do to protect their data?

Develop policies and guidelines for safely sharing and storing patient data

Have a cyber security expert evaluate your organization or office’s security readiness: only 59 % of providers have a security-readiness plan in place, with an industry average of 58% having ransomware readiness, leaving much room for improvement. In addition:

• Incorporate security into the initial system design phase
• Prioritize security protections according to anticipated impact
• Emphasize security updates and identification and management of possible vulnerabilities
• Follow recognized security procedures, especially by staff and vendors
• Emphasize to all users to “connect carefully and deliberately”

Train the medical office including reception, back-office, providers and anyone else using or able to access data, to be aware of potential breaches – according to cybersecurity experts, most breaches occur due to human error and carelessness, rather than technology failings. Many hackers are on the lookout for staff or other users to become careless and are quick to take advantage of lapses in vigilance.

• Smaller practices may be more at risk as they are more likely to use outdated technologies and tend to be more focused on meeting regulatory requirements, such as “meaningful use” with security taking a back seat.
• Work closely with software and systems providers and other IT partners to maximize security and bring frequent staff users on board.
• Organizations need to improve encrypting data – only 59% of organizations have end-point device encryption, allowing hackers another way into their information.
• Guard password usage: use strong passwords not found in a dictionary, restrict access only to a few authorized users and change passwords frequently – monthly is recommended.

A data breach has occurred – now what?

• Develop a cybersecurity policy before a breach occurs
• Have a ‘chain of command’ assigning response tasks
• Identify the breach source, if possible, for containment
• Notify patients, law enforcement, legal counsel and data, insurance companies, and vendors

Summary

It is critical that healthcare organizations, whether as sole practitioners or large hospitals, take a proactive stance in preventing cyber attacks on their patient data. Bringing in cyber security IT experts in for an evaluation is the first necessary step, ensuring encryption and updating software and other protective measures, as well as including an organization’s staff in the planning and implementation of preventive measures.

Finally, have a response plan ready for when the inevitable happens to contain and minimize damage, as well as to notify patients, law enforcement, and other affected parties.

Author: Aaron White, Date: 20th June 2017