How to better prevent more healthcare breaches
Laptop loss, credential miscues and simple mistakes cause most leaks, says Suzanne Widup.
Almost three out of every four healthcare data breaches can be linked to three common security problems, and managing those types of issues can greatly impact overall security performance.
Those include losses or thefts of laptops; improper or criminal accessing of credentials to information systems; and unintentional errors, such as sending sensitive information to the wrong person, according to Verizon Enterprise Solutions.
Unintentional errors can be reduced by strengthening controls and implementing protected health information disposal procedures. But the big problem remains that many healthcare organizations still don’t understand that encryption is important, says Suzanne Widup, senior analyst for healthcare cybersecurity at Verizon.
The knock against encryption is the fear of not being able to immediately access important patient information during an emergency, Widup notes. Physicians are not willing to jump through another hoop and enter another password, “and they have the power to make it stick,” she adds.
But there are other times when encryption could and should easily be deployed and is not.
In particular, the theft or loss of researchers’ laptops left in their cars or their homes is an often occurrence, yet the data is not needed for emergency use, and the laptops should be encrypted, Verizon security experts say.
Another blind spot to protecting patient data is getting full C-level acceptance and understanding of a program to increase security, says Nancy Green, global practice lead for healthcare at Verizon. When talking to leaders, she always asks if they know where their data is and they say yes, but as the discussion continues, it becomes clear they don’t, and “what feels very secure turns into a challenge.”
That said, there is more willingness among leaders to have conversations about security and be more proactive, because they understand that a breach affects the brand, Widup notes. “Anytime the Federal Trade Commission or Department of Health and Human Services gets involved, it’s not what business wants to see, and we’re getting improvements.”
But overall, large gaps in security exist and often remain until the need for improvements is clearly shown. California lawmakers, according to Widup, failed twice to enact the state’s first breach notification law; that notification passed when lawmakers’ data was compromised. “That may be what it takes, for the ‘right’ people’s data to be breached,” she said.
Those include losses or thefts of laptops; improper or criminal accessing of credentials to information systems; and unintentional errors, such as sending sensitive information to the wrong person, according to Verizon Enterprise Solutions.
Unintentional errors can be reduced by strengthening controls and implementing protected health information disposal procedures. But the big problem remains that many healthcare organizations still don’t understand that encryption is important, says Suzanne Widup, senior analyst for healthcare cybersecurity at Verizon.
The knock against encryption is the fear of not being able to immediately access important patient information during an emergency, Widup notes. Physicians are not willing to jump through another hoop and enter another password, “and they have the power to make it stick,” she adds.But there are other times when encryption could and should easily be deployed and is not.
In particular, the theft or loss of researchers’ laptops left in their cars or their homes is an often occurrence, yet the data is not needed for emergency use, and the laptops should be encrypted, Verizon security experts say.
Another blind spot to protecting patient data is getting full C-level acceptance and understanding of a program to increase security, says Nancy Green, global practice lead for healthcare at Verizon. When talking to leaders, she always asks if they know where their data is and they say yes, but as the discussion continues, it becomes clear they don’t, and “what feels very secure turns into a challenge.”
That said, there is more willingness among leaders to have conversations about security and be more proactive, because they understand that a breach affects the brand, Widup notes. “Anytime the Federal Trade Commission or Department of Health and Human Services gets involved, it’s not what business wants to see, and we’re getting improvements.”
But overall, large gaps in security exist and often remain until the need for improvements is clearly shown. California lawmakers, according to Widup, failed twice to enact the state’s first breach notification law; that notification passed when lawmakers’ data was compromised. “That may be what it takes, for the ‘right’ people’s data to be breached,” she said.
More for you
Loading data for hdm_tax_topic #care-team-experience...