Patient engagement is a growing necessity for many healthcare organizations, but getting patients to use online tools is complicated by increasing concerns about data security. In just the first 3 months of 2015, two major insurers – Anthem and Premera Blue Cross – were hit by large-scale health data breaches that affected approximately 78 million and 11 million individuals, respectively. The breaches continued in April, when Partners HealthCare and Seton Healthcare both reported phishing scams that compromised protected health information (PHI) and Social Security numbers.
These breaches are not only costly – the average cost per stolen health record is $363, according to Ponemon Institute’s annual Cost of Data Breach Study1 – but disruptive to patient and provider engagement as well.
In light of such high-profile invasions of privacy, how can providers better protect their patients’ data and assure them that online portals are safe to use? The solution is twofold – improve the overall design of security architecture, and develop strong policies and procedures to help staff prevent breaches.
The security infrastructure in healthcare continues to lag behind that of other industries, such as utilities or finance. According to BitSight Security Ratings,2 weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common among medical device use in clinics and hospitals. The healthcare industry also had the one of the longest average event durations, or average time to detect and respond to cyber threats, of 5.3 days.
However, there are several resources available to help organizations and providers identify gaps and potential vulnerabilities in their security policies, processes, and systems.
- The Security Risk Assessment (SRA) Tool, used to conduct the risk assessment required by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, can help organizations develop and consider physical, technical, and organizational safeguards, ranging from alarm systems to screen shields and data encryption.
- The Critical Security Controls, a set of 20 high-priority, highly effective recommended actions, can also help secure organizations from common cyberattacks. These actions are a subset of the comprehensive security catalog defined by the National Institute of Standards and Technology (NIST) SP 800-53 and are considered to have the greatest effectiveness in threat prevention.
As the healthcare space continues to be a prime target for hackers, understanding and developing the necessary safeguards is crucial. Simultaneously, organizational leadership must focus on educating personnel about these risks, how to avoid them, and what to do in the case of a phishing incident. This can be managed through the development of strong policies and procedures and enforced through ongoing training. A documented plan and continuing education can help organizations properly respond to phishing scams and the unintentional revelation of PHI. It is important for all individuals to know the process so that the incident can be effectively communicated and mitigated, and the root cause identified. Furthermore, phishing scams are dynamic and evolving; defense strategies should be equally dynamic and regularly tested to ensure that potential vulnerabilities are detected and fortified.
In order to ensure that patients feel comfortable and are willing to share information with healthcare organizations, it is vital that the appropriate security infrastructure is in place to keep sensitive data safe and combat potential risks. This is especially important as more aspects of our healthcare are automated and health information is available electronically. Hospitals, providers, and practices all need to evaluate their security design, ensure that safeguards are in place, and make sure that anyone who interacts with PHI is prepared to defend it.
Footnotes
- 1.
- 2.
Published June 3, 2015