HIT Think

How 3 cybersecurity practices can assist smaller hospitals

Register now

Smaller hospitals don’t get a break from regulators; they have to comply with healthcare laws just as the larger hospitals do.

However, community and regional hospitals typically have far fewer resources to provide the data privacy and security that compliance regulations require. This means their compliance programs may have gaps.

What are organizations with small IT teams to do? How can they create programs that include policies, procedures, ongoing monitoring and remediation efforts to reduce incidents? How can they acquire certified compliance and security savvy and create a culture of privacy, security and compliance?

A dangerous assumption among smaller or regional hospitals is that they don’t need the same level of security as the big players in the healthcare space. They think they can’t possibly be as attractive to cybercriminals as the big medical centers. But what they don’t know is that they are more likely to be targeted because of possible unaddressed security gaps.

Multiple elements make cybersecurity difficult and complex for smaller hospitals. For instance, many healthcare systems are leveraging each other’s systems, especially after a merger or acquisition. Meanwhile, cloud-based applications have become a business-critical function for most organizations, storing vast amounts of sensitive or proprietary information.

Smaller organizations are the gatekeepers to massive quantities of patients’ private health information but may not realize it. Privileged insiders like network administrators or users with elevated permissions have access to this information and may carelessly or maliciously misuse it, causing audits, exposure to risk and heavy fines.

Large healthcare organizations have the resources and support to create robust privacy and security programs. This, in turn, enables them to better handle the full lifecycle of privacy and security incidents to drive risk out of their organizations.

Cybercriminals are looking for the path of least resistance, so they like to attack smaller hospitals because of perceived gaps in security measures. The larger problem is that the attack compromises more than just their data. These facilities are often connected to bigger hospitals through systems that enable hackers to gain access to the larger organizations’ data as well.

Community healthcare organization sometimes need to send patients to a larger medical facility for treatment. So, the organizations are sharing patients’ electronic health records. This is a convenient way to ensure better care, but it creates greater risk, as it allows for even more people to have access to patient records. This trend is increasing as the industry pushes for more access to health records.

Smaller hospitals are far from defenseless, though. Here are three key ways that community and regional facilities can protect themselves and those they are connected to.

Monitor your cloud-based environment
Monitoring enables you to escape business interruption and regulatory fines and ensure trust among customers. Monitoring provides the added benefits of greater visibility into usage and adoption, performance and compliance. The more insight you have into how users are interacting with your applications, the more you can secure and optimize your business systems to produce the best outcomes possible.

Monitoring returns time back to IT staff’s day, which they can spend doing the more meaningful and enjoyable tasks. This is an added bonus that creates greater job satisfaction and increased productivity.

Train and reward
A strong compliance culture that values security and accountability can provide value in a number of ways. Training users on security and regulations contributes to a successful strategy. Governing and sanctioning offenders strengthens accountability, but rewarding positive behavior will further strengthen your culture. The idea is to move towards preventing data breaches due to insider error rather than discovering them after the fact.

Use a third party
A third party takes that extra monitoring load off IT’s plate and educates the community hospital on the need to comply with compliance regulations. A service can train new employees and conduct ongoing, targeted training that is more efficient. A third party can see that a certain region or department had the most violations in a specific time period and then provide training on proper use to protect both patient data and the organization.

The healthcare industry is heavily regulated because of the sensitive nature of patient health data. Every precaution must be taken to keep it private. This is a more difficult task for smaller hospitals because they have fewer resources, and cybercriminals know it. A data breach can devastate a hospital’s finances and patient trust quotient. But by implementing cloud monitoring, educating employees and learning from outside expertise, regional and community hospitals will create a stronger security profile to keep critical data secure and private.

For reprint and licensing requests for this article, click here.