What Compromises Data Security in the Healthcare Industry?
The thing about the digital world is that cyberattacks are a part of it. These attacks can happen to anyone, and even the biggest companies in the world are not immune. One of the most vulnerable are companies belonging to the healthcare industry because medical records often have a lot of personal details, prescription numbers, and insurance details. This is why data security is very important.
Keeping electronic-protected health information safe is much easier said than done. This complex task is made even more difficult by the fact that more and more patient information records are going digital. These electronic records are also being shared while more and more cyberattacks are happening every single day.
In June 2017, Anthem paid around $115 million to close to 80 million planholders. The settlement fine was the biggest in history for a healthcare data breach. But that’s not all. Safetica has found out that there were 297 cyberattacks in 2016 alone. This translates to around 15 million patient records being compromised.
What are the most common causes for data breaches?
According to data from Safetica, more than 4 in every 10 data breaches are caused by sharing, disclosing one’s login credentials, or unauthorized access.
Around a third of data breaches are a result of hacking, while close to 1 in every 5 are done by stealing a computer, a smartphone, or other devices used to access sensitive patient information.
Other reasons for data breaches are loss of these devices and inadequate disposal.
In short, a majority of data breaches happen because employees were not careful with their access devices or their login details.
How do you protect your healthcare organization from being victimized by cyberattacks and the massive blows to your reputation, as well as the company coffers? You should know the five biggest stumbling blocks towards data security.
- Lack of awareness.
Problems related to cybersecurity are often caused by a lack of awareness. Most employees and healthcare professionals do not think about data security because they think that it is the job of the IT department to keep their data secure. They fail to realize that they do have a role in keeping everything secure and that they, too, are responsible for data security.
Because of this, healthcare organizations often find it difficult to build a culture where security is of topmost importance to everybody. They fail to make their employees understand and then subsequently value security processes, equipment, and data.
Without this awareness and an overall security-focused mindset, employees develop bad security habits and behavior. They do not come up with strong passwords, they do not have sound authentication practices, and they participate in Shadow IT.
What is shadow IT? This is when healthcare employees access sensitive data on unauthorized devices using similarly unauthorized apps.
This lack of regard for data security makes your employees the weakest link in your data security chain.
If you want to have a better shot at avoiding data breaches, you should educate your employees and make them realize just how important data security – and the subsequent security practices that they adopt or develop – really is. You would need to train all your employees comprehensively, as well as adopt policies on authorization and authentication.
- Outdated software
Healthcare companies are notorious for lagging behind other enterprises when it comes to technology adoption. There are still hospitals, clinics, and practices that use outdated software and operating systems. They also use ordinary routers: the same ones being used by people at home. They backup their files on elementary backup systems. They also have unsecured guest networks that their patients and other non-employees can use.
The thing is that outdated software are riddled with vulnerabilities that a new bug can exploit. Updating your software and investing in modern equipment is one of the most important ways to keep your healthcare facility safe from cyberattacks.
Bring your own device, or BYOD, is a term that means employees can use their own devices to access their e-mails, files, and other stuff they need to do their work. With better performing smartphones, more and more organizations are implementing their own BYOD policies.
With BYOD, tablets, laptops, and even smartphones are being used to record data and treat patients at healthcare organizations.
But think about it. Each of these devices will have copies of your patients’ sensitive data on them. Each of these devices can also act as an entry point. Think about what will happen if a doctor unintentionally leaves his smartphone on a bar counter or in a cab. Or what would happen if his or her laptop gets stolen.
If you cannot minimize BYOD in your organization, the next best thing to do is just secure all the devices being used to access sensitive data, in the same way you secure your servers, networks, and computers.
E-mail phishing attacks are rather commonplace at healthcare companies because it is very easy to get e-mail addresses of staff and employees. Another reason why phishing attacks more frequently target healthcare professionals is that they usually get more e-mails from other providers because they often work together with other professionals, other hospitals, and even deal with drug and equipment suppliers.
The combination of having e-mail addresses that are readily obtained by cybercriminals and the high volume of e-mails received every day often lead to these people opening a phishing e-mail without them even realizing it.
Training your people on how to spot phishing e-mails can help them avoid falling victim to these types of attacks.
- Weak access controls
Access to patient records should be kept to as few people as possible. These records should only be accessible to people who need them to do their work. But for most healthcare organizations, this does not happen.
The reason is rather simple: the hospital does not put access control systems in place. The result is that the entire database is open to everyone in the organization.
Internal staff errors are also one of the most prevalent reasons for data breaches. Therefore, you can reduce the risk of having a data breach by employing better access control of your data.
Photo courtesy of Hamza Butt (Flickr).