For Cybersecurity, Prevention First, But Don’t Forget About the Treatment
By Terry Edwards
Cyber-attacks are nothing new. We’ve all seen the attacks on major retailers, entertainment giants, and financial institutions. Healthcare is gaining attention as the next industry under attack since cyber-criminals are finding unprecedented value in patient health records.
A patient record can sell for $50 to $150 per record on the black market, more than a credit card number or a Social Security number. This gives buyers the ability to impersonate patients using all the personal information included in a health record to commit identity fraud or even obtain prescription drugs. In 2014, a record number of healthcare providers were hacked and a number of high-profile healthcare breaches have already made headlines in 2015.
The healthcare industry is taking these attacks seriously and working hard to protect itself against potential threats. However, it’s becoming more difficult for healthcare providers to ensure the continued integrity of patient data. Not only are hackers growing more advanced and nimble, but the number of vulnerabilities in the system is only increasing as the industry moves to population health management.
Care delivery is not quite as contained as it used to be. Patients can be treated in a variety of settings as their care teams grow in size. In addition, more types of devices are collecting and sharing patient data, offering more entry points for cyber-criminals to infiltrate. Healthcare organizations are also dealing with tight IT budgets, which in some cases only cover what’s necessary for regulatory requirements.
While it’s critical for healthcare organizations ramping up IT defenses to protect the data of their patients, to avoid a breach, organizations need to get back to the basics by focusing on the following:
- Develop an internal security committee to conduct a formal risk assessment and identify any areas at risk for a data breach. The committee needs to have the backing of the highest levels of the organization to demonstrate the commitment to protecting patient data.
- Following the risk assessment, the committee should develop an organization-specific risk management strategy to include processes, procedures, tools, and technologies.
- Educate the staff on the new processes and procedures. Implementing new procedures can be the biggest challenge for organizations. It’s not enough to deliver one training session and assume employees are following protocols. Instead, organizations must provide employees with frequent reminders to flag suspicious emails, keep their passwords protected, and encrypt any communication with protected health information.
- Reassess risk ongoing to make sure employees are following the appropriate processes and procedures and to identify any new vulnerabilities within the system. Cyber-criminals are constantly using new methods to find weaknesses in the system, so healthcare organizations must stay on their toes to keep technology up to date.
Even with the strongest security protocols in place, sometimes a cyber-criminal can find a way through. The experience of other industries shows that while customers are generally understanding when a breach occurs, they need assurance that the organization recognizes the breach and is taking steps to avoid another one. One of the biggest threats of a data breach for healthcare organizations is the potential hit to patient trust, the cornerstone of the patient-physician relationship. Healthcare organizations need to maintain that trust to deliver effective care.
To protect patient trust and the reputation of the organization following a breach, providers must put a treatment plan in place:
- Communicate early and often. Immediately following a breach, a healthcare organization must alert patients with details on what data may have been jeopardized, what actions they need to take (such as changing a password), and how the organization is working to protect the security of patient information. By giving patients as much information as possible, the healthcare organization can convey it is treating the issue seriously and is taking all necessary precautions to ensure another breach does not occur.
- Offer services to monitor and alert patients. By offering tools to monitor their credit and identity theft, healthcare organizations can show they’re concerned about minimizing any risk to patients. In addition to credit reporting, healthcare organizations should reach out to patients whose data was compromised to ensure patients are regularly reviewing their explanation of benefits for any fraudulent activity. Organizations can consider email guides, webinars, and in-person meetings to help patients understand how to review their accounts regularly and what to look for.
- Educate staff on how to handle patient inquiries. Some patients will have questions about the breach and may ask employees like receptionists or nurses who are not used to fielding those types of inquiries. Give employees guidance on how they should respond to upset or concerned patients so that they can get the correct information through appropriate channels.
It does not look like cyber-criminals will stop their attacks on healthcare organizations anytime soon, but with the right protocols and procedures in place, healthcare organizations can put their best defense forward and be prepared to respond in case of a breach.
Terry Edwards is CEO of PerfectServe.