From March 12-18, 2017, healthcare organizations across the country are celebrating Patient Safety Awareness Week. While the campaign’s traditional focus has always been reducing harm in on-site care, information security is also critical to patient safety. An organization’s inattention to cybersecurity can be dangerous to patients, affecting their safety, identity and financial welfare.
Because exploitable information in an electronic health record (EHR) brings a high price on the black market, IBM predicts the industry will continue to see a growing number of threats in 2017. Despite being under constant pressure to lower healthcare costs for consumers, healthcare organizations simply cannot afford to make cyber security a low business priority. Instead, they must invest in establishing best practices, processes and technologies to protect health data and sustain patient trust.
Here are four tips healthcare leaders—and those in other industries—can consider in order to better protect their patients’ and their customers’ information, finances and safety:
Identify your vulnerabilities.
To address the growing number of cybersecurity threats, healthcare organizations must strengthen their security strategy and adopt a defense-in-depth approach with multiple layers of protection. In order to create an integrated data protection plan, organizations must first thoroughly assess their risk and identify where their most critical information travels and is stored. This information should be protected with technology that resides at the file’s core, securing data when it’s both in use and at rest.
Weave security into your organization’s culture.
According to IBM, 68 percent of all network attacks targeting the healthcare industry came from within—two-thirds of which were unsuspecting employees who fell victim to phishing scams, lost laptops, misconfigured servers, etc. For this reason, it is imperative that organizations within the industry establish a security-first culture. This starts from the top-down, with business leaders setting a good example by taking responsibility for turning data security into one of the organization’s core values through frequent and on-going training.
Protect data on mobile devices.
Mobile computing devices and “smart” technology have enabled significant strides in integrated and holistic medical care. Remote outpatient clinicians, home care clinicians, health insurance providers and patients themselves rely on everything from tablets to heart monitors to collect, store, and access personal health information (PHI) and personally identifying information (PII). Maintaining availability, confidentiality, and integrity of this data is critical, whether the device itself is on- or off-line. Additional risk arises if these devices are lost, stolen or breached. Organizations can gain a better handle on their employees’ and patients’ devices with data protection that encrypts, shreds and securely stores data, in real-time, without creating any noticeable changes to the end-user. Additionally, healthcare organizations should develop and enforce policies that specify circumstances under which devices can be removed from the facility.
Create an effective incident response plan.
Cybersecurity threats are part of daily operations, in healthcare and in other sectors, and they can happen at any time. Organizations should have a well-trained cybersecurity response team on-call, but they should also have policies and trainings for non-IT employees so everyone knows what to do in the critical minutes following a system breach. Breach response plans must be up-to-date and immediately implementable to prevent a stall in operations, especially in healthcare organizations where every second counts in saving lives.
Related: This Type of Cyberattack Was Almost Impossible to Detect. Until Now.
What do you think? Share comments and feedback with our senior reporter Ariel Robinson on Twitter at @ArielAtWork or by email at ariel@washingtonexec.com!