The healthcare industry was a major target for cybercriminals in 2015, the worst year in history for healthcare data breaches. Thus, it comes as no surprise that in 2016, information security is considered the top health IT concern. Patient data protection has become a critical business priority for all healthcare organizations, regardless of their size or scope, as every vulnerability puts their reputations and financial performance at risk.
The cost of data breaches includes crisis management services, breach notification expenses, fulfillment of state and federal compliance obligations, forensic investigations, credit monitoring for patients whose data has been breached, and more. The Ponemon survey found that data breaches are costing the healthcare industry $6 billion annually, and the average economic impact of data breaches per organization is over $2 million.
Apparently, no industry is immune to cyberattacks, and healthcare is especially susceptible to cyber threats due to the sensitive nature of the data healthcare organizations process and store. The good news is that there are always ways to become more secure and compliant.
Encryption is one of the best ways to protect the integrity of documents, images, messages, and other personal health information. Unfortunately, too many companies fail to encrypt confidential data until after a data breach. The Sophos infographic shows that the healthcare sector has one of the lowest rates of data encryption. Only 31% of healthcare organizations report extensive use of encryption, while 20% do not use encryption at all.
Regular and Timely Software Updates
Keeping software up to date and applying patches on a timely basis is critical to maintain network and data security, as updates can address new vulnerabilities in the software. Outside of regular (daily, weekly, etc.) updates, it is important to monitor for emergency vendor software updates and apply them immediately.
Medical Device Interoperability
It is important to protect sensitive data not only in storage but in transmission as well. Medical data transmission protocols, such as Health Level 7, help to securely exchange patient data between eHealth applications and health information systems. The newly developed protocols comply with the latest requirements for data protection, but older versions may contain serious security issues and require specific security countermeasures. For instance, while developing SDK for the HL7 v2.x, Auriga’s team faced and overcame several security problems.
Software and Hardware Reengineering
Software and hardware systems that are no longer supported by manufacturers become outdated, leading to reduced security and making a healthcare organization vulnerable to cyberattacks. Reengineering, porting, and code refactoring allow organizations to create modern, reliable, and secure solutions quickly, avoid new certification issues, keep old functionality, and allow new features. As an example, Auriga has recently delivered a reengineering and porting project for an outdated life-supporting healthcare product.
A Culture of Security
Although 2015 was “the year of the healthcare hack,” the largest healthcare data breaches of this year so far have not involved hacking or IT incidents. Surveys show that many data breaches result from employee negligence and mistakes. To stay ahead of threats, healthcare organizations should make security an integral part of their day-to-day business by ensuring that employees are aware of the risks and trained to deal with confidential information, developing mobile and BYOD policies, and creating a disaster recovery/business continuity plan.
While developing a security program, it is vital to remember that information security is not a product or a tool. It is a continuous process that requires persistent management and constant improvement based on newly identified business needs and risks.