The need for improved cybersecurity is vital for many industries, but particularly in health care, a sector that regularly handles sensitive information and must do so according to strict regulations.
Here are some of the most prominent obstacles people must overcome when implementing reliable and effective cybersecurity policies in health care.
Maintaining HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) applies to entities that provide health care or deal with associated services, such as health plans. Typically, the parties that fall under HIPAA handle sensitive information daily. HIPAA defines how those entities, as well as third-party providers who work with them, must treat protected health information.
HIPAA compliance also encompasses various safeguards, such as those related to physical access, administrative policies and procedures and conducting risk assessments. Too, there are rules about the processes affected entities must follow after breaches or other security incidents.
Representatives at some facilities may mistakenly think complying with HIPAA is sufficient for tackling cybersecurity. But, HIPAA should only be a component of a larger security plan.
Furthermore, a challenge could crop up when clients in the health sector seek new cloud services, since not all providers must comply with all parts of HIPAA. Working with a cloud computing provider that has a clear commitment to data security is one way to improve health care cybersecurity. But, clients must take care to ensure their chosen providers support HIPAA compliance.
Cloud computing companies offering managed services must be fully HIPAA-compliant. However, entities offering unmanaged services typically only satisfy some HIPAA requirements, leaving clients to fulfill the rest. Taking care to learn about a provider’s extent of responsibility is also crucial when assessing any software or tools meant to increase cybersecurity.
Awareness Is Up, but There’s a Lack of Confidence
One of the challenges of cybersecurity is it’s often challenging to urge employees to prioritize the matter. On a positive note, that trend is changing, but a different one is still present.
According to a recent study by Abbott and The Chertoff Group, more than 90 percent of hospital administrators and physicians say data security is a focus at their workplaces. However, three-quarters of doctors and 62 percent of people in administrative roles don’t feel equipped to combat threats.
Dealing with that issue requires taking a multipronged approach involving better employee training and larger budgetary allocations for cybersecurity as a start.
Frozen IT Budgets Limit the Possibilities for Positive Changes
Even though representatives at many facilities realize it’s time to put more financial resources towards health care cybersecurity, achieving that feat is not a straightforward task.
A poll from Black Book Research shows that, compared to findings collected in 2016, health care cyber-attacks are on the rise, resulting in millions of records stolen and one in 12 people being affected by the breaches.
However, despite the urgency of the situations, 88 percent of health entities reported their IT budgets have stayed at the same level since 2016. Plus, cybersecurity only accounts for about 3 percent of the overall IT-related funds. These hindrances mean facility representatives may feel enhancing cybersecurity is a goal too far out of reach due to a lack of funds.
When hiring onsite cybersecurity experts isn’t feasible, alternatives still exist. For example, some clients hire virtual security consultants or rely on managed cybersecurity services on a contractual basis.
The Health Sector Handles Information in Various Ways
In most industries, taking steps to secure a network’s computers is significant. But, in health care, making progress is more complicated because employees use other things besides computers to transmit information. Fortunately, providers offer options such as HIPAA-compliant fax services. Having access to those choices is crucial, especially since the fines can total $50,000 or more, depending on the extent of the violation.
Plus, there’s a trend of using health-related wearables to improve the quality of care between in-person visits, especially for patients with chronic disorders. Those undoubtedly bring convenience to patients and their caregivers, but they also increase the potential attack points and the need to apply cybersecurity strategies to those widely used devices.
Some medical technologies — such as pacemakers and medication distribution systems — are implanted inside patients. Depending on the device, it may collect information from patients and send it to physicians. If that equipment gets compromised via security weak points, injuries and fatalities could occur.
A 2018 survey also found the majority of physicians use mobile devices in their practices. And, of those who still aren’t using that technology, they say fears over HIPAA compliance are mainly what cause them to hold off. Almost half of those polled said they use iPhones to work with mobile health applications, and Android smartphones comprise a much smaller percentage.
Being aware of the multitude of devices that transmit and receive health data is essential for any worthwhile cybersecurity plan in health care. It’s impossible to overlook the possibility that mobile devices could get stolen or otherwise accessed by unauthorized parties. Strong passwords and remote lockout capabilities could keep those devices safe in such instances.
Health Information Is Especially Valuable
When orchestrating their attacks, cyber criminals evaluate what they can do to increase the chances of the most considerable payoffs. The extraordinary value of health-related information is one of the reasons these entities view the health sector as a worthy target.
Experts say while credit card information is only worth about 25 cents, health information could fetch hundreds or thousands of dollars on the black market. The exceptional value is due to how many comprehensive details a health record contains about an individual.
Although health records may contain credit card numbers, they often also feature listings of doctor’s visits, diagnoses and lab results. The wealth of sensitive details within gives hackers ample opportunities to blackmail victims or publicly embarrass them with information on a health record.
Another problem is that although people can freeze their credit reports, cancel credit cards and apply for different Social Security numbers, it’s not possible to change information on an electronic health record.
Some hackers specialize in snatching health records. According to a report, one hacker who goes by the username “thedarkoverlord” possessed more than 689,000 health records and was selling them on the dark web.
The Triage Concept Could Help Health Facilities Make Cybersecurity Enhancements
This overview clarifies there are numerous cybersecurity shortcomings in the health sector. Addressing them requires commitment and resources. Additionally, representatives may discover the triage approach — which emergency room personnel use to determine which patients to see first — assists them with assessing cybersecurity needs, too.
For example, a hospital that’s using a higher-than-average number of connected devices in the workplace may prioritize updating the software on them to safeguard against vulnerabilities. Or, if a hospital recently got fined for a HIPAA violation, the establishment may decide the first course of action must involve preventing future issues while strengthening cybersecurity as a whole.