This article appears in the Fall 2019 issue of the
PE GI Journal
Addressing one of the largest risks in healthcare: cybersecurity.
Cyberattacks on the healthcare industry have been an unfortunate reality for decades; however, in the last few years the frequency and breadth of these attacks has reached almost epidemic levels. In 2018, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) alone levied $28 million in fines for security breaches, and that is just the tip of the iceberg. Some experts estimate these breaches cost the industry $5 billion annually, including the cost to fix the breach, the lost revenue due to lack of access to information during a breach and the negative impact on patients’ perception of the organization affected.
The healthcare industry is a prime target for cybercriminals because of the value of healthcare data. In particular this includes the personal health information (PHI) of patients, which can be extremely valuable for identity theft and other types of fraud. However, in addition to PHI, healthcare industry clinical research and intellectual property are valuable to cybercriminals.
Ransomware and Other Types of Breaches
One of the most discussed types of cyberattacks is ransomware. This refers to a situation where a cybercriminal gets access to your network and then encrypts files or otherwise restricts access to your own data or networked equipment until your organization pays a ransom. As with many data breaches, this often occurs when a worker mistakenly clicks a link in an email or interacts with something malicious online that gives the criminal access to your system.
This practice of sending emails or messages intended to get employees to click on malicious links—which are usually disguised as something innocuous such as a document from a coworker or photos from a friend—is called phishing. In a 2018 breach that resulted from a phishing attack, health insurance company Anthem, Inc., agreed to pay $16 million to OCR, establishing a new record as the single largest HIPAA fine for a security breach.
In addition to phishing, other common ways healthcare organization data is breached include:
- Loss or inadvertent disclosure of sensitive information. For example, if an employee misplaces his or her work phone or leaves a laptop unattended.
- Stolen information. Similarly, if an employee’s phone or computer with sensitive information or login and password access to secure networks is stolen.
- Insider breach. An employee of your organization who has access to secure information maliciously provides that access to criminals.
- Third-party breach. Another organization or vendor you work with and has access to your sensitive data is breached.
- Unsecure data. Data, including PHI, that should be secured is inadvertently left discoverable by the public.
Addressing Cybersecurity in Your Organization
It may seem obvious, but one of the most important ways to protect your organization from cyberattacks is to have a well-defined cybersecurity plan and procedure. This can include, but isn’t limited to: clearly stated employee duties with regard to cybersecurity, properly-defined software upgrade procedures, regular audits of networks and other technology used such as cloud computing, and an emergency protocol in the event a breach occurs.
Additionally, if you don’t have an IT officer with experience in your organization, consider hiring one or working with a consultant or vendor. While the healthcare industry is a target because of the value of its data, experts also note that many healthcare organizations lack adequate resources to address cybersecurity, and this can compound the severity and financial impact of breaches.
Training Your Team
With a well-defined cybersecurity procedure comes training. A 2016 review of cybersecurity literature in Technology and Health Care found that the “most stressed security technique in the literature is proper employee training.” Many of the common types of cybersecurity breaches involve a human component that could be prevented with regular and comprehensive employee training.
When developing training, look to your IT experts for guidance. You can also find resources and guidance online, particularly from HHS. Last year, HHS released a publication that it developed in partnership with the healthcare industry titled Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. This publication provides guidance on “voluntary cybersecurity practices to healthcare organizations of all types and sizes.”
As technology develops and medical devices and equipment, as well as patients’ PHI, become more and more accessible over the internet, cybersecurity concerns will only increase. Currently, many practices, hospitals and health systems are not prepared for cyberattacks, and a single breach could end up costing an organization millions of dollars. Examining cybersecurity readiness is extremely important for organizations of all sizes, and even small steps in the right direction can make a difference.
Billy von Grossen is a Network Administrator at Physicians Endoscopy (PE) and can be reached at email@example.com.