There are strict privacy rules when it comes to patient information, and you need to ensure your information technology (IT) department is following the rules about protecting confidential information. IT professionals focused on making hardware and software work may not be fully aware of their obligations for maintaining the security that is essential in a healthcare environment. Here is information about some of these privacy rules and guidance on that topic.
Health Data in Demand
Although any industry’s technology can be hacked, cyber attackers can benefit most significantly when they capture data from electronic health records (EHR). According to a 2022 report from the U.S. Health and Human Services (HSS), EHR information is the most valuable type to people with ill intent. Why? Because of the protected health information (PHI) contained within the application—information they can sell at a profit on the black market or dark web. PHI contains eighteen identifiers that can be used for “extortion, fraud, identity theft, data laundering” and so forth. These identifiers include names, telephone numbers, Social Security numbers, medical record numbers, account numbers, health plan numbers, and so forth along with people’s biometric identifiers such as their fingerprints and/or retinal scans.
In 2020, at least 560 healthcare facilities were affected by ransomware along with the Pennsylvania Health Services Company, which operates 400 hospitals and healthcare facilities.
In 2021, one healthcare breach cost, on average, $9.23 million; that’s $2.1 million more than the previous year ($7.13 million). Most commonly, data is stolen from phishing, malware, and ransomware attacks as well as through encryption blind spots and cloud threats. In addition, problems can arise from employees who don’t follow best practices or engage in even more reckless behaviors.
Because of healthcare data’s attractiveness for hackers and because of the harm that stolen patient data can do, federal laws exist that require healthcare organizations to strongly protect this information.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
This federal law contains national standards to protect patient health information. More specifically, after its passage, healthcare organizations could no longer disclose sensitive information unless the patient was aware of this transaction and gave consent.
HealthIT.gov notes that healthcare organizations must have strong cybersecurity protocols and practices because patient information is exchanged electronically and so are patient claims. To offer guidance, they refer to a cybersecurity checklist by HHS. This is the specific language from the HHS about what is required:
- implementing a security management process, which includes conducting a risk analysis to
- identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
- implementing procedures to guard against and detect malicious software;
- training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
- implementing access controls to limit access to ePHI to only those persons or software programs requiring access.
HIPAA includes a breach notification rule. This means that, if patient confidentiality is breached through loss, theft, or impermissible uses of health data, healthcare organizations must report this to numerous people and organizations:
- The individuals whose information was breached
- Secretary of the HHS
- Media if this breach impacted five hundred or more people within a state or jurisdiction
If a breach is significant, the healthcare organization can be fined. Even if a fine is not levied, the investigation can damage the organization’s reputation. In the Netherlands, a few years ago, a hospital was fined the equivalent of $516,000 for the breach of one single patient’s records! The court found that the hospital had poor security measures, wasn’t using two-factor authentication, and didn’t regularly check logs for unauthorized usage. There are numerous other HIPAA violations leading to fines over a year’s time.
Data Protection Basics
One of the most important ways to make sure your IT department is taking security seriously is to strengthen interdepartmental relationships and make security part of the organizational culture.
Having clear guidelines and protocols in place is also important. For example, passwords should be required to contain a certain number of characters, be mixed-case, and have both numbers and letters. Passwords should also expire regularly so that they are changed routinely.
Auto log-offs and a help desk that can resolve problems are also key parts of effective information technology in the healthcare industry.
Information Security Plans
To more fully and effectively protect your data, create an information security plan (ISP) that details the techniques, tools, and processes that you use to protect technology. The ISP would include strategies described in the data protection basics listed above—but goes much further. The plan would include how your healthcare organization encrypts data, protects your network, and more to keep confidential information safe, and out of the hands of cyber-crooks.
The goals of your organization’s information security (InfoSec) approach should be included in your ISP with a focus on these three core elements: confidentiality, integrity, and access.
- Confidentiality: The first part of the triad requires keeping private information confidential, only allowing people with a right of access to see the data.
- Integrity: Although the focus of this post has been on preventing the theft of data, an ISP must also protect it from damage, additions, deletions, and alterations—acts performed deliberately or accidentally/from a lack of knowledge.
- Availability: Also ensure that people who need access to data can receive it seamlessly. Ease of access to the appropriate people serves as the balancing center of the InfoSec structure.
Penetration testing, where a consultant tries to break into your healthcare technology systems with your permission, can help you to spot any vulnerabilities. Then, these can be addressed before people with ill intent exploit them for gain. This can be so effective that regulatory bodies often suggest (or even require) this ethical form of hacking.
Although concepts inherent in an ISP are the same for all healthcare organizations, each one can have unique approaches that fall within InfoSec best practices. When formulating your cyber security solutions, consider the following:
- Successful breaches of your data in the past: How did the hacker get in? What did they do with the data they accessed? How much harm was done? What steps did you take to enhance your EHR cyber security, post-hack?
- Past breaches that didn’t affect your healthcare facilities: What cyber security solutions did you have in place that protected you? Are they still strong enough to handle today’s threats?
- Current threats: How are you keeping up with phishing schemes, ransomware attacks and so forth that are circulating? What healthcare IT solutions have you implemented to tighten up your security? Do they allow optimal access?
- Future threats: What EHR cyber security plans do you have in place to proactively protect your data? Is it a well balanced plan?
Communication methods: How are you communicating your ISP to your management, IT team, and other relevant stakeholders? How do you share ISP updates with them? - IT bandwidth: Does your in-house IT team have the time and resources needed to craft an ISP and monitor its successes? Do they have time to regularly update the plan?
HealthTECH Resources for Your Healthcare IT Solutions
IT professionals with healthcare experience can be invaluable to your organization in ensuring that all necessary security measures are in place to protect patient confidentiality. It isn’t always practical or feasible, though, to have all of the cyber security expertise required in an in-house team that is busy managing other important IT projects. If you’re in this situation, then reach out to our experienced healthcare staffing service today to find qualified professionals for your organization.
At HealthTECH Resources, we seamlessly fill in staffing gaps to enhance EHR implementation and cyber security for healthcare organizations across the country. Experts from our deep and wide professional network will work alongside your healthcare IT team to identify threats and create an ISP that protects for today and has built-in protections for the future. Our professionals can also train your IT team in ISP protocols and best practices by using an engaging and interactive approach.
To get started with your cyber security solutions, please contact us online or call (602) 806-8949. We provide the experts you need for healthcare IT and EHR consulting solutions, even under stringent requirements, and they’re available as consultants, contract to hire professionals, and permanent placements.
PRESIDENT/CEO AT HEALTHTECH RESOURCES
Larry has specialized in building strategic healthcare relationships for over 25 years, helping the nation’s top payors and providers solve some of their most pressing business challenges through an intelligent mix of staffing services, training, and consulting.