Healthcare has evolved into a highly technical and heavily regulated industry. No longer is a locked cabinet for patient files enough to protect Personal Health Information (PHI). While healthcare has traditionally been seen to have a lesser risk of attack, in recent years, it has proven to be a primary target. When an organization faces a large security breach or challenge, not only is there a risk to reputation and patient trust, but also risk of heavy government fines. Here are 4 security challenges facing healthcare organizations today:
1. Healthcare Ransomware
Ransomware has quickly become one of the top threats to hospital and health system security. According to the US Justice System, ransomware attacks have quadrupled in the past year to nearly 4,000 per day. Healthcare has proven to be as susceptible to these attacks as any other industry. These attacks are increasingly sophisticated, and many hospitals, unable to break the encryption on their own, are forced to pay.
Whether an employee inadvertently downloads a malicious file, clicks on a suspicious link in an email or a hacker is able to infiltrate a network, ransomware can put an entire EHR and system on lockdown. Regular backups are essential, and it is critical to ensure that they are secured and protected. Ideally, backups would be stored in a HIPAA-compliant data center. Creating a disaster recovery plan now that will allow an organization to quickly identify and address any breaches will help get systems running quickly and avoid clinical downtime in the event of an attack. Additionally, it is imperative to teach employees to be cautious about unsolicited attachments and phishing scams.
Because technology is central to healthcare operations, most employees have multiple passwords to remember and update. Often, systems require those passwords to change on a regular basis. As a result, employees choose the same password for several systems and weak passwords when possible.
When passwords do not meet strong technical standards, it is easier for bad actors to get into your systems, pose security threats and create potential breaches of information. Not only can comprehensive password policies help protect against hacking, but they can also make it more difficult for phishing scams to be successful in cracking passwords. The Department of Health and Human Services has recommended several technical safeguards to help prevent these security risks. These federal requirements are designed to be flexible, but they cannot be ignored.
3. Too Much Access
Often, healthcare environments allow all employees access to many files and systems not pertaining to their work. While all employees should have access to all systems necessary to complete their duties, when employees are given access to systems that are not necessary, an organization runs a greater risk of data breach.
It is advised that health systems and hospitals implement the principle of least privilege. This is a model whereby employees are only able to access the minimum amount of information and systems necessary to do their work. In doing so, an organization will find ease in deployment of new systems. The organization will also have better system stability. Finally, least privilege will improve system security, because vulnerabilities in one machine will not be able to exploit the rest.
4. Non-Hacking Incidents
While healthcare has become increasingly vulnerable to security breaches with the onset of technology, that does not mean PHI cannot be compromised in other ways. Paper documents can be lost, or a laptop might be left or stolen. In either case, PHI security needs to be considered on multiple fronts. To truly protect data, organizations must know at all times how PHI is accessed, stored and transmitted. This would require knowing how each team or division uses data and fosters a culture of transparency.
In considering security challenges, it is helpful to have an outside expert on information security and government regulations conduct a vulnerability assessment and review your systems, policies and procedures. From there, you can put together a plan to address any areas of concern.
What steps have you taken to address your data security challenges?