HIT Think

How to identify key security gaps in data protection strategies

Register now

The “digital mesh”—the entwining of people, devices, content and services—will be one of the top 10 strategic technology trends for this year, playing a large role in improving the healthcare experience and environment for patients and employees.

However, increased collaboration and quick access to information comes at a price, particularly in protecting sensitive patient information as it increasingly circulates among these different technologies. Failing to be prepared for cyberattacks is no longer an option.

The way the healthcare industry thinks about, and prioritizes, cybersecurity needs to evolve to keep pace with the rapidly changing cyber-threat landscape. To accomplish this, security needs to be embedded within the network and platforms to enable a start-to-finish security infrastructure that can be managed and measured.

According to a recent Verizon report on data breaches involving protected health information (PHI), 58 percent of cybersecurity incidents within the healthcare industry involved insiders. It is also worth noting that the healthcare industry was the only industry where internal actors were the biggest threat to security. To make matters worse, 31 percent of incidents by an internal actor were simply for fun or curiosity in looking up the personal records of celebrities or family members.

Beyond the risk of insider-caused incidents, incidents with PHI can also frequently and surprisingly take place on paper notes, in addition to digital breaches. The Verizon report found that 27 percent of data breach incidents were related to PHI printed on paper. Between prescription notes, bills, copies of ID and insurance information, paper trails unfortunately present an opportunity for criminal behavior.

One of the biggest challenges for security in the healthcare space is that there is no one threat agent causing the growth of data breaches. Both insiders and outsiders can pose a threat, creating the need for healthcare executives to develop strategic and long-term plans that address these threats.

This often includes a review of the internal processes and the overall culture of the organization (the people problem in this equation). By implementing and regularly testing such plans, healthcare organizations can identify any holes in the system and fill them before PHI data is compromised

While enacting a strategic cybersecurity plan takes time, there are some easy first steps organizations can take to make improvements and address common, but threatening, security challenges:

  • Limit insider access: Manage internal threats by creating “administrators” who can control access to certain data, and making the consequences clear for any employees who view patient data without a real reason.
  • Full disk encryption: One of the fastest tactics that can be implemented is full disk encryption (FDE) or encryption at the hardware level. This helps prevent data from being read by anyone who does not have the “key” to translate the data. FDE is also something that is installed at the beginning of a device’s life and automatically encrypts any data added to it.
  • Going digital: To combat paper data theft, organizations need to move toward reducing the amount of information that is on paper and develop processes to handle items that cannot be digitized.

As healthcare organizations manage highly sensitive patient data on a daily basis, it is vital that the industry shifts from a protection to a prevention strategy. Complete prevention of cybercrime is not possible in today’s climate. Adequate protection takes time, digital technology and collaboration from within an organization. That is why following proactive cybersecurity practices is more important than ever – and healthcare organizations are finally taking notice.

The majority of health care systems plan to increase technology spending to improve their healthcare cybersecurity measures in the next year according to a survey of 35 of the largest health systems in the United States. This opens the door for cybersecurity to be an increased focus in 2018, helping keep data secure and protect patient privacy.

For reprint and licensing requests for this article, click here.