HIT Think

3 critical steps to better protect patient health information

Register now

Patient data has been put at risk over the last few years. A potent combination of determined cybercriminal attacks and negligence has repeatedly exposed sensitive health information.

When the Ponemon Institute surveyed healthcare organizations last year, it found that nearly 90 percent had experienced a data breach in the past two years, and a shocking 45 percent had suffered more than five data breaches in that same two-year period.

Despite these striking totals, many healthcare organizations are still falling short in their efforts to protect patient health information properly. A midyear report from Protenus reveals that there have been 233 breach incidents in 2017, affecting 3.1 million patient records. That puts the industry on course to exceed last year’s record of 450 breaches.

Healthcare organizations can and should do better. Here are three critical challenges that must be overcome if protection of ePHI is to meet everyone’s expectations.

Improve visibility and management
Enabling the sharing of patient health information digitally enables the delivery of better quality healthcare, but it creates a major challenge for any organization accessing and securing information from a patient. Compliance with HIPAA is vital, but that doesn’t just mean protecting data when it’s under an organizations roof; it also must understand and manage the risk as PHI moves to external business associates and vendors.

The average cost of healthcare organization data breaches was $2.2 million for the direct target of the breach and more than $1 million for their business associates, according to the Ponemon Institute. Any defense is only as strong as its weakest link, so risk assessments and security solutions must stretch beyond an organization’s premises. There's a palpable need to secure and protect patient health information, as it moves within the organization, or across organizations between covered entities and business associates and vendors.

Eliminate fragmentation and siloed security
As enterprises adopt a hybrid approach and migrate their on-premise infrastructure to the cloud, the specter of shadow IT must be dealt with. Too many healthcare organizations don’t understand what cloud services and applications are being used. The average healthcare organization uses 928 cloud services and uploads 6.8 terabytes every month, according to a SkyHigh report.

To make matters worse,providers frequently use siloed security solutions. Different tools are used for visualizing and managing on premises-related equipment or security than are being used for managing the cloud-related information. It’s crucial to take steps to reduce risk in the cloud and secure proper oversight to ensure compliance.

Beyond the cloud considerations, IoT and medical devices pose another set of threats altogether. Because they’re rarely designed with security as a priority, and are often chosen for a combination of specific functions and low price, they can dramatically expand the potential attack surface of any healthcare organization. They must be properly monitored and patched in a timely manner, or these gaps can become access routes for hackers.

Reduce reliance on manual point-in-time assessments
This fragmented landscape of devices, services and security tools is further exacerbated by the traditional approach to risk assessment, which is to assess vulnerabilities at a specific point in time. Fresh vulnerabilities, new threats and organizational changes occur daily. If organizations expect to stay secure, then they must continuously monitor their infrastructures. They need an automated, continuous assessment process capable of flagging problems and remediating them.

It’s important for healthcare organizations to be able to harden their infrastructures by applying the right blend of regulations and security best practices. Whether they want to adopt the NIST Cybersecurity Framework or create their own harmonized control framework, providers need to have real-time analysis and automated enhancement to maintain a secure stance.

With limited budgets, most healthcare organizations have limited options. Training is time-consuming, and it takes away vital staff members from their main duties.

Where practical, automation can be a great alternative that introduces consistency, creates a clear audit trail and enables the configuration of a security framework to meet regulatory requirements.

As things stand, ePHI protection is not making the grade, and patient data will continue to be a major target for cybercriminals. While healthcare organizations face a tough task in harnessing a disparate group of services and devices, and a large network of partners, these challenges are not insurmountable. Acknowledging them and acting is a vital first step if the healthcare industry expects to reverse the current trend of data breaches.

For reprint and licensing requests for this article, click here.