Technology made it easier for us to provide and improve care for patients. Paper charts and handwritten requests on yellow stickies are a thing of the past. We have become used to having on-demand access to Electronic Health Records (EHR). It is not only physicians and support personnel whose life is made easier by accessing this data. Patients also access their health records via digital health apps, which enables them to communicate with providers, schedule appointments, check test results and renew medications.
We increasingly rely on electronic health information. If the provider does not have access to the data, they can no longer treat patients. Organizations in possession of health information are legally obligated to safeguard Protected Health Information (PHI) and penalties for unauthorized or inappropriate release of PHI are quite high.
Cybersecurity is essential for Health Insurance Portability and Accountability Act (HIPAA) compliance because it helps ensure the confidentiality, integrity, and availability of PHI, which is a critical aspect of protecting patients' privacy and maintaining the trust of individuals who entrust their personal health information to covered entities and business associates.
Individual and state-sponsored hackers are increasingly targeting the healthcare industry. They understand their ability to disrupt hospital operations or breach the accounts of individual providers will cause irreparable damage. The value of PHI data on the black hat hackers market is high.
Beyond the financial losses and damages, when a system or healthcare organization is compromised, and unable to provide timely care, this directly impacts patient lives.
During the month of Jan 2023, there were 11 major reported cases of data breaches in the healthcare industry. Here are some of them:
PHI data exposure on 134,000 patients in a specialty clinic
Ransomware attack on EHR system that shutdown 8 ambulatory and hospital facilities in NY City.
270,000 patients in Louisiana notified of Healthcare Data Breach
Email security breaches in 3 separate incidents that exposed PHI affecting unrelated medical facilities in Texas, Alabama, and Florida
And how many were unreported?
And if you think that you are secured, consider all interconnected entities that have access to your healthcare facilities. From cleaning companies that have keys to access facilities, to accounting firms that integrate payments and receivables, to EMT service companies that integrate with your EHR.
We experience greater automation of processes and procedures, as well as the introduction of numerous interconnected Internet of Things (IoT) devices with volumes of patient data stored on the cloud. Failure along any one of these points can have devastating results.
There are numerous steps and options that should be considered in order to protect data and critical assets. Security controls should include the following:
HIPAA and Security Training
Audit and validation of suppliers
Business continuity and disaster recovery planning
Digital forensics
Multi-factor authentication
Network segmentation
Software update planning for all devices and systems
Regular or continuous vulnerability scans
Penetration testing
Data infrastructure is the indispensable technical “lifeblood” of our healthcare systems. To continue to view security solely as a cost, we fail to see its critical nature.
We must accept that cybersecurity is an integral component of a healthcare infrastructure
Comments