Photo of a healthcare provider using a tablet device

Healthcare Data Security: Problems and Tips

31 Jul 2015 by Teresa Meek

When medical data gets hacked, it gives providers a huge black eye.

In July, the four hospitals that make up the UCLA medical system discovered a breach that had occurred 10 months earlier, and had to notify 4.5 million patients that their health information and Social Security numbers were compromised.

That breach occurred in the wake of the infamous Anthem attack in February, which captured the personal data of 80 million members and employees. A month earlier, Premera Blue Cross was breached, putting sensitive information of its 11 million members at risk.

As healthcare records have moved — by federal order — from paper to electronic format, access across the medical spectrum for patients, doctors, nurses and pharmacists has vastly improved. Unfortunately, electronic records can also provide cracks for sophisticated cybercriminals to silently enter the system and steal data. Sometimes, as with the UCLA and Premera breaches, they go undetected for months.

How are healthcare organizations doing?

A 2015 Healthcare Cybersecurity survey done by the Healthcare Information and Management Systems Society (HIMSS) found that two-thirds of healthcare organizations had experienced a significant security incident in the recent past. While most said they detected the breach within 24 hours, 20% resulted in the loss of patient, financial or operational data. Only 12% had conducted a mock cyberattack drill.

Nevertheless, most organizations felt confident about protecting against today’s attacks, though they feel today’s tools will not be sufficient for the future.

Threats are multiplying so quickly that they can’t keep track of them all, according to 42% of respondents. Sharing threat information across institutions would benefit everyone, suggested 59%.

Take action.

So what should hospitals and clinics be doing to stay compliant with new federal laws and to guard against breeches?

The first step is to understand the threat landscape for your particular organization.

To do that, examine not only your own risk profile, but those of your vendors and partners. Then implement an appropriate software program that complies with HIPAA guidelines for data management.

Once you’ve set up your security system, don’t take it offline even temporarily for cleaning and debugging. A few hours in the middle of the night is all a thief needs to break in and take control.

New technologies allow you to use advanced analytics that can sometimes reveal a breach-in-the-making. But don’t count on it — threats are constantly evolving, and even advanced systems can’t offer a perfect detection rate.

That’s why a recent KPMG report advises that healthcare IT should not be managed solely by the IT department. Instead it should be a regular topic of discussion at the highest executive and board levels.

The report also suggests using forensic investigations to understand how security breaches occurred in order to avoid future attacks. Forensics also enables you to preserve evidence for law enforcement agencies.

Learn from the ‘Most Wired.’

Here are some additional tips from hospitals that achieved the American Hospital Association’s "Most Wired" status this year:

  • Use an intrusion detection system like the 96% of Most Wired hospitals, compared to 85% overall. Most Wired hospitals also employ privacy audit systems (94%) and security incident event management (93%).
  • Be prepared by conducting cyberattack exercises every year. That’s what 79% of the Most Wired do, compared to just 37% overall.
  • Share your results with other healthcare systems so that you can learn from each other. Some 76% percent of the Most Wired do this, compared to 56% overall.
  • Take it to the board. Of the Most Wired organizations, 83% include cybersecurity risks as a part of hospital board risk management procedures.
  • Get the word out to patients quickly. A significant 83% of Most Wired hospitals communicate threat information with patients via email or alerts, in contrast to 63% overall.

Want to learn more about healthcare security? Gain a greater understanding of emerging security solutions and how they can impact your healthcare organization here.