Over the last several years, data breaches have become commonplace in the news. From the Yahoo data breach in 2013, to the massive Equifax breach in 2017, and even the SingHealth breach as recent as July of 2018, data breaches are becoming more and more frequent. As the techniques of hackers become increasingly more sophisticated, the security efforts of businesses from various industries must adapt. The stolen personal data could range from names and email addresses, to medical records and social security numbers. Because of this, it’s crucial for organizations within the healthcare sector to safeguard the data of their patients and customers.
According to a recent article from Modern Healthcare, last year, 13 million people had their health data compromised in several different breaches, and many of those data breaches come from a lack of security within email, either in protocol settings or end user interactions. The same article stated “There’s been a marked increase in email breaches in recent years. Since 2017, email has been the primary outlet through which health data is exposed. That year, there were 85 email breaches—more than double the number reported in 2016—accounting for nearly one-quarter of all healthcare breaches.” These breaches usually happen as a result of phishing — a technique where hackers pose as a trusted entity and entice users to click a link that provides them with access to the organization’s system.
Another article entitled “Medical Device Cybersecurity” in FDLI’s April/May 2019 edition of “Update” says, “In recent years, there have been numerous ransomware attacks on healthcare providers, including the devastating WannaCry attack which wreaked havoc on the United Kingdom’s National Health Service (NHS) as well as on numerous hospitals here in the United States. These attacks, which used security flaws in Microsoft operating systems, highlighted just how unprepared hospitals and medical device manufacturers were in dealing with cybersecurity threats.” Although the FDA continues to release guidelines and regulations around the security of medical devices and other aspects of the healthcare industry, attacks such as these are a glaring reminder of what can happen if providers do not act.
According to the University of Illinois at Chicago, “As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in health care is on the rise.” In order to ensure an organization’s sensitive data remains secure, it is crucial to partner with an expert or work with a team specialized in risk assessment and correction. These experts should be well-versed in government regulations, security best practices, and ensuring systems and software are always up to date. In addition, these resources can provide valuable training to your team to ensure your organization as a whole is aware and capable of recognizing security threats as they arise. However, it can be difficult to find trustworthy, qualified individuals to meet this need, especially as demand for these skills and services increases. In this case, it can be instrumental to partner with a staffing and consulting company that has access to this in-demand talent.
When embarking on any current or future projects, it is vital to make security a top priority. Start by evaluating your current systems and determining any potential weak points. Once you have identified these areas, you can take the necessary steps to repair them, and establish a set of policies and procedures around security. It is important to ensure that your staff is educated regularly on these policies, and made aware of the importance of adhering to them. Teach your employees to evaluate every email with a critical eye. When implementing these policies and procedures, make sure they are all-encompassing and cover every aspect of your business. Policies on onboarding and off-boarding your staff should be carefully monitored. What time frame is set to deactivate an employee’s email after they leave the organization? Who has access to this email account in the interim? These details can be easily overlooked, yet once a policy is implemented, if not adhered to, it could expose your organization to threats.
Once you feel your security systems are well-established, performing an analysis of network penetration to determine whether there are any vulnerabilities is key. These vulnerabilities apply to people, processes, or systems. All of these considerations and others can be determined with the assistance of a Security Analyst, or through a managed services partner who can provide your organization with the right team of individuals to meet your specific needs
Even if your organization's guidelines and policies are already outlined, it is important to remember that as technology continues to advance, you will need to regularly re-assess those policies and ensure they remain relevant. It’s important to evaluate what is working well, what processes or procedures could improve, and how to strategically implement those improvements. Whether it’s testing your network for vulnerabilities, or testing and training your staff for compliance with email policies, with the right partner, you’ll be able to approach this systematically and be sure that nothing is overlooked.
Although the future of cybersecurity is unclear, there is one thing those in the healthcare industry can be certain of: cybersecurity is a vital yet underdeveloped field that needs attention. While new challenges will continue to emerge, there will always be highly-skilled individuals ready to meet those challenges, developing new ideas and innovative products to help the industry remain safe. When it comes to protecting your patient’s data, focus on finding a partner who employs solutions that are proven effective across complex, global systems that require the highest level of security.