Home » Readers Write » Currently Reading:

Readers Write: For Cybersecurity, Prevention First, But Don’t Forget About the Treatment

March 16, 2015 Readers Write No Comments

For Cybersecurity, Prevention First, But Don’t Forget About the Treatment
By Terry Edwards


Cyber-attacks are nothing new. We’ve all seen the attacks on major retailers, entertainment giants, and financial institutions. Healthcare is gaining attention as the next industry under attack since cyber-criminals are finding unprecedented value in patient health records.

A patient record can sell for $50 to $150 per record on the black market, more than a credit card number or a Social Security number. This gives buyers the  ability to impersonate patients using all the personal information included in a health record to commit identity fraud or even obtain prescription drugs. In 2014, a record number of healthcare providers were hacked and a number of high-profile healthcare breaches have already made headlines in 2015.

The healthcare industry is taking these attacks seriously and working hard to protect itself against potential threats. However, it’s becoming more difficult for healthcare providers to ensure the continued integrity of patient data. Not only are hackers growing more advanced and nimble, but the number of vulnerabilities in the system is only increasing as the industry moves to population health management.

Care delivery is not quite as contained as it used to be. Patients can be treated in a variety of settings as their care teams grow in size. In addition, more types of devices are collecting and sharing patient data, offering more entry points for cyber-criminals to infiltrate. Healthcare organizations are also dealing with tight IT budgets, which in some cases only cover what’s necessary for regulatory requirements.

While it’s critical for healthcare organizations ramping up IT defenses to protect the data of their patients, to avoid a breach, organizations need to get back to the basics by focusing on the following:

  1. Develop an internal security committee to conduct a formal risk assessment and identify any areas at risk for a data breach. The committee needs to have the backing of the highest levels of the organization to demonstrate the commitment to protecting patient data.
  2. Following the risk assessment, the committee should develop an organization-specific risk management strategy to include processes, procedures, tools, and technologies.
  3. Educate the staff on the new processes and procedures. Implementing new procedures can be the biggest challenge for organizations. It’s not enough to deliver one training session and assume employees are following protocols. Instead, organizations must provide employees with frequent reminders to flag suspicious emails, keep their passwords protected, and encrypt any communication with protected health information.
  4. Reassess risk ongoing to make sure employees are following the appropriate processes and procedures and to identify any new vulnerabilities within the system. Cyber-criminals are constantly using new methods to find weaknesses in the system, so healthcare organizations must stay on their toes to keep technology up to date.

Even with the strongest security protocols in place, sometimes a cyber-criminal can find a way through. The experience of other industries shows that while customers are generally understanding when a breach occurs, they need assurance that the organization recognizes the breach and is taking steps to avoid another one. One of the biggest threats of a data breach for healthcare organizations is the potential hit to patient trust, the cornerstone of the patient-physician relationship. Healthcare organizations need to maintain that trust to deliver effective care.

To protect patient trust and the reputation of the organization following a breach, providers must put a treatment plan in place:

  1. Communicate early and often. Immediately following a breach, a healthcare organization must alert patients with details on what data may have been jeopardized, what actions they need to take (such as changing a password), and how the organization is working to protect the security of patient information. By giving patients as much information as possible, the healthcare organization can convey it is treating the issue seriously and is taking all necessary precautions to ensure another breach does not occur.
  2. Offer services to monitor and alert patients. By offering tools to monitor their credit and identity theft, healthcare organizations can show they’re concerned about minimizing any risk to patients. In addition to credit reporting, healthcare organizations should reach out to patients whose data was compromised to ensure patients are regularly reviewing their explanation of benefits for any fraudulent activity. Organizations can consider email guides, webinars, and in-person meetings to help patients understand how to review their accounts regularly and what to look for.
  3. Educate staff on how to handle patient inquiries. Some patients will have questions about the breach and may ask employees like receptionists or nurses who are not used to fielding those types of inquiries. Give employees guidance on how they should respond to upset or concerned patients so that they can get the correct information through appropriate channels.

It does not look like cyber-criminals will stop their attacks on healthcare organizations anytime soon, but with the right protocols and procedures in place, healthcare organizations can put their best defense forward and be prepared to respond in case of a breach.

Terry Edwards is CEO of PerfectServe.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors


































































Gold Sponsors
















Reader Comments

  • jp: I'm with you on the icebreakers and other "interacting for the sake of interacting" types of things....
  • AynRandWasDumb: Re: VA/Jackson - WOW http://apps.washingtonpost.com/g/documents/politics/ronny-jackson-summary-of-allegations/2922/...
  • Drivin' and Cryin': I witnessed a noted health IT leader do the same "tears after telling a story about how he didn't treat his wife well en...
  • Mr. HIStalk: I agree for a class, where an ongoing relationship is important -- you'll be spending time with the instructor and fello...
  • jp: On the whole conference thing and engaging the audience. If the purpose of a conference (or one of the main purposes) is...
  • MerryMe: Anyone besides me disturbed by the title of the Healthwise webinar listed? "Converting Consumers into Patients" -- Shoul...
  • Justa CIO: Wholeheartedly agree with System CIO's comment. I like him/her do not have time for HIMSS, CHIME, etc., as I am heads d...
  • shh bby is ok: I was taken by the tongue-in-cheek wit of your cartoon above Stealthily Healthily's comment. Then I clicked on it an...
  • Fourth Hansen Brother: My God, 60 is too old? Hint- rapidly aging population. He's not anywhere near retirement age, and CEO tenures are pretty...
  • Lisa Hahn, RN, Org Management/Clinical Strategist: I have seen a mixed bag of tricks for these situations. There is no specific singular “path” for for every organiza...

Sponsor Quick Links