Health care organizations have been aware of potential cyberthreats, but now more than ever this vertical must be diligent in their prevention of cyberattacks. The FBI and other United States government organizations have said that they have evidence of increased and imminent threat to health care providers. Now more than ever, it is essential that the industry focuses on health care cybersecurity, in order to be prepared for these attacks.
It’s not if, it’s when
According to Britany DiCicco, author of
Through the eyes of a cyber criminal, a medical practice or a hospital is a gold mine with an abundance of patient information stored insecurely—just waiting to be hacked, confiscated, and either sold on the black market or held for ransom. Either way, cyber criminals can make a fortune from successfully hacking a healthcare organization—and because they are all too aware of this, the healthcare industry has become their primary target.
After learning more about this incredible risk for not just health care executives, but also the public (as we all get sick sometime), I decided to sit down with David C. Blake, PhD, JD, to learn more. Dr. Blake is a former vice president at Cedars-Sinai Medical Center in Los Angeles, where he served as chief compliance officer and chief privacy officer. I asked Dr. Blake two questions:
- What are today’s major challenges in protecting medical records and health information?
- What are the consequences for health care providers when confidential information is seen by the wrong person or disclosed to those who have no right of access?
The ease of (wrongly) accessing medical records
“There is always the possibility of someone inside a health care organization inappropriately accessing and/or disclosing a patient’s medical information for nefarious reasons,” Blake told me, “but the greater dangers are simple mistakes and idle curiosity.”
The doctor described how easily medical information might be misdirected in the course of everyday business operations like faxing information to a wrong health care provider or emailing information to other staff who have no permission to receive the information. Then there are the cases of staff accessing records they have no business accessing (simply out of a curiosity about the condition of a patient who might be well-known, a family member, or a fellow employee).
There’s also great security flaws with electronic health records (EHRs). For example, nurses could access the nursing records of any patient in the system, even if that patient is not their own.
That’s, unfortunately, just how EHRs work.
So, what does this mean for health care executives?
Health care providers face a legal standard of strict liability when it comes to protecting a patient’s medical records. Penalties and fines are imposed on providers when intentional wrongdoing occurs, but there are also penalties and fines—often quite substantial—even if no one intentionally meant to do anything wrong.
“Preventing intentional wrongdoing is one thing, but trying to minimize mistakes and curiosity is a wholly different challenge for executives in health care.”
—David C. Blake, PhD, JD
Luckily, executives have a number of ways to address and reduce these health care cybersecurity risks:
- Training: “Training is one way, but the training needs to be repetitive, required of every staff member, and clear regarding the consequences for not following the rules,” Blake advised. He emphasized, “Employees need to know that there are no second chances when it comes to violating the rules regarding protecting a patient’s medical records.”
- Add More Security & Monitoring to EHR: Electronic warnings, duplicate password requirements, and other similar measures add layers of security to individual records. Provider organizations might also institute monitoring toolsthat track who is accessing what records within an EHR. “Catching an inappropriate access shortly after it occurs can greatly reduce the consequences of the violation,” Blake noted.
- Consult I.T. Professionals: “Federal and state statutory and regulatory requirements for protecting the privacy of medical information and the security of EHRs are incredibly complicated and challenging,” Blake noted. He warned that “the stakes are too high for relying on someone who is not professionally trained and experienced in HIPAA and state privacy rules.” He concluded by noting that the price of such expertise is well worth the cost, given the reduction in risks it can secure.
Some health care organizations may be well taken care of through their internal I.T. departments—and that's GREAT—but many health care executives are facing overload, budget constraints, and confusion. That's where managed I.T. services providers (MSPs) can bring value. It is important for health care providers to look for a MSP with two areas of expertise: HIPAA compliance knowledge and SOC 2 Type II certification. When doing due diligence, also ask to see their BAA (business associate agreement). This document ensures the MSP shares some of the I.T. liability as part of contracted services. The I.T. support you have could be the difference of avoiding or causing fines, gaining or losing patients, and taking your organization to the next level or miring yourself in the status quo.
Interested to see where your cybersecurity stands or in need of technological support? Reach out to us to discuss your needs.
Editor's Note: This post was originally published in 2017 and has since been updated for accuracy and relevance.