Across the industry, hospitals are being forced to rethink network protection and cybersecurity measures. Massive data breaches and cyberattacks continue to grow in sophistication and number, threatening providers and testing their network resilience. Between 2017 and 2018 alone, the number of compromised patient records tripled to a whopping 15 million, according to research from the Protenus Breach Barometer. Just halfway through 2019, the number of breached patient records hit an incredible 25 million.
Unfortunately, according to data gleaned from the 2017 Health Care Industry Cybersecurity Task Force report to Congress, the healthcare industry as whole stands largely vulnerable and unprepared to mitigate threats from bad actors. Specifically, the report cited problem areas such as a lack of funding for cybersecurity, staffing shortages for information security professionals, poor infrastructure and aging legacy equipment. However, with such a dramatic spike in cyberattacks from hackers, providers have little choice but to implement more mature strategies to protect patient health information (PHI), billing information and confidential hospital data.
To mitigate the threat of cyberattacks and data breaches, healthcare organizations must consider stronger safeguards to ensure compliance and security. Here are some defensive strategies being used throughout the industry.
- Building a cybersecurity team. While regulatory compliance is essential, cybersecurity should go further. This means healthcare organizations should have an experienced team of experts in place to lead enterprise-wide change, including building in layers of controls, checkpoints and review processes to create a culture of continuous compliance. If your organization doesn’t have the resources, staff or knowledge to build an in-house cybersecurity team, then consider outsourcing one.
- Budgeting appropriately. Despite the high number of breaches across the industry, healthcare spends far less on cybersecurity than other large industries like banking and manufacturing. For instance, in 2018, according to Gartner, healthcare providers allocated about 5% of their total information technology budgets on security. However, the average spend in other industries is around 15%. Allocating more money to safeguard network defenses, hire security or compliance experts, and update aging equipment could prove pivotal in protecting the health of your enterprise.
- Assigning compliance specialists. Because state and federal governments regularly establish new rules to protect patients, organizations must build internal systems and accountability measures to ensure they’re up-to-date and in compliance. To accomplish this, many organizations have compliance specialists on staff; these professionals also regularly audit in-house processes like reviewing policy sanctions and reporting incidents. Of course, healthcare facilities should also work with the FBI and state agencies to stay aware of new cyberthreats, too.
- Limiting network access. Patient portals, mobile apps and other IT solutions must adhere to strict security standards to ensure that patient access is highly secure. As such, cloud-based portals must be secured, and patients must only be allowed access into certain areas or files. Similarly, follow the rule of “minimum necessary access” with staff and employees. This provides each user with access only to files needed to complete his or her job; even IT staffers or C-suite leaders should be restricted from files they do not need to complete their jobs.
- Roll out ongoing training and continuing education. Most data breaches and ransomware attacks are the result of phishing emails. In fact, a recent survey of 1,300 physicians from the American Medical Association found that 83% of respondents had experienced a cyberattack; more than half of those said the attack came in the form of a phishing email. With the growing frequency and evolving style of attacks, it’s critical to implement ongoing training on privacy, information security and physical security to keep employees informed and prevent careless mistakes.
To learn how Parallon goes above and beyond to ensure compliance and safeguard data, reach out to one of our experts today.