There are constantly reports of healthcare organizations falling victim to hacking. In the last three years alone, 42.5% of all data breaches occurred in the healthcare industry, and a staggering 91% of all healthcare organizations have reported at least one data breach in the previous two years.
Why is the theft of millions of health records such a common occurrence? Why is there such a barrage of security flaws within this particular industry?
It would appear that organizations in this industry, both big and small, are targeted, and IT experts are critical in helping these businesses prepare for and defend against such attacks. Take a look at this list of four reasons why the issue of security is still a grave concern in the healthcare field.
The main reason healthcare organizations are still neglecting the issue of cybersecurity is because of the considerable costs associated with it. Security is so expensive for these businesses because of the fact they are relying on aging systems to manage hundreds, even thousands, of legacy applications.
Older systems are prone to break more frequently, are harder to patch, and much easier to exploit, but, unfortunately, internal IT staff are not able to modernize these systems because they are not given the resources required to do so. Systems are usually held together with a thin veil of networking or code that is temperamental and often difficult to repair.
EMR or Electronic Medical Record systems are complicated and contain disjointed billing systems, patient intake, and things of that sort. They also require a considerable amount of data storage to house the necessary information, including large medical images, which is expensive. In addition to these concerns, in many hospitals, different departments are procuring their own systems, meaning little or no central oversight is available.
In order to address the concern of cybersecurity, it’s important to tackle the issue of complexity. This is the main reason why so many healthcare organizations are taking the step and moving to the cloud. This provides them with the opportunity to eliminate or refactor applications that are no longer needed, as well as combine several on-premises systems with a single cloud-based SaaS or PaaS solution.
Much of the work in health IT is manual, which is a considerable risk as far as cybersecurity is concerned. One of the several characteristics of an aging system is the need for engineers to do a large portion of the maintenance work manually. When engineers are required to patch a vulnerability manually across hundreds of servers, odds are high that a critical update on one or more server will be missed.
When network configurations are updated manually, it is easy for accidents to occur, such as opening a port to the wrong subnet. Every time a mistake such as these occurs, it creates an open door for hackers. PHI security should not be dependent wholly on the memory of a single, or group of engineers, although they are very intelligent, no one can remember everything and human error does occur.
When it comes down to it, the majority of security features are based on three basic principles, keeping malicious users out, restricting user access so the impact of an insider hack is limited, and constant monitoring. These three basic principles are drastically improved through automation.
The process of automation ensures that security policies are not only implemented, but properly maintained throughout the infrastructures lifecycle. As vulnerabilities are made apparent, a single alteration to an automation script can successfully patch hundreds or even thousands of complex systems, without resulting in downtime.
Automated security policies encourage the adoption of evolving industry standards and assist in maintaining a single record of network and access policies. Oftentimes, even the process of creating and implementing automated policies exposes system vulnerabilities that were previously unknown.
HIPAA Security Rule’s Technical Safeguards section does state some requirements, however, the law does not provide adequate protocol alone for keeping data safe. It is critical that healthcare organizations take extra measures above and beyond the required functions, in order to assure a truly secure environment.
A good example of this is encryption. Encryption is not mandatory under HIPAA, instead it is considered an addressable specification. A lot of healthcare organizations are under the impression that HIPAA compliance is a checkbox, and once the infrastructure is configured it is ready to go, guaranteeing a secure environment.
This is not the case, however, as even following HIPAA guidelines will not be enough, as these recommendations can take up to years to catch up to any new technology shifts. While HIPAA provides a set of implementation guidelines and best practices, those individuals responsible for the security of the environment need to continually reassess their environment.
Hackers are always lurking into the infrastructures of healthcare organizations, looking for vulnerabilities. Health records are ten times more valuable than credit card records, which is why there is such motivation for attackers to get their hands on such records. It is understandable that health care organization can not guarantee they will never fall victim to a security breach, however, they should always be working hard to ensure they are doing everything in their power to prevent one.
It is important to understand that while an organization cannot eliminate risk entirely, it can be managed and minimized by proper implementation of cybersecurity best practices. It is no secret that across the US, millions of healthcare records have been stolen. This means that healthcare organizations have an uphill battle to reduce risks and modernize systems, going beyond the guidance of the law.
C.D.'s IT Consulting LLC provides managed IT services for healthcare organizations in Indianapolis. We make sure you’re maintaining the confidentiality of PHI while complying with HIPAA. Call (317) 522-1362 ext 2 or email us at firstname.lastname@example.org for more information.