Increasingly, hospitals, physician offices and other providers are encouraged to share patient information between and among one another at a rapid-fire pace in order to provide higher quality, more coordinated care. Also, many physicians are requesting the ability to access data and communicate with nurses and care providers on smart phone devices.
While these technological advances are exciting and make caring for patients more effective and efficient, they can also leave hospitals vulnerable to data breaches. "We've seen a huge increase in hacking attempts," says Brian Doerr, senior vice president of IT for Community Hospital Corp. "Hospitals are putting in new technologies, but if they're not careful, they can open themselves up to more and more of that."
Of concern is the initial expense of installing stricter security measures along with new technologies. "Security technologies are not inexpensive," says Mr. Doerr. With many hospitals operating on razor-thin margins, it can be a difficult decision to invest in security measures if there has never been a data breach problem in the past.
Even though the initial investment in security measures can be a financial hit for hospitals and health systems, it is still much smaller than the cost of an actual data breach. "If you don't [address this] and you do have a major breach, it could close the doors of the hospital," Mr. Doerr says. The combined cost of possible lawsuits stemming from a patient information breach and the public relations and reputation cost that could shrink the organization's patient base can have a large impact on a hospital's revenue.
Since the impact of an IT security breach can be extremely high, it is critical to find and address any security issues as soon as possible. Organizations can do so by following these best practices:
A risk assessment was the first step William Toon, CIO of Baptist Hospitals of Southeast Texas in Beaumont, took at his system's hospitals. "Delaying or failing to deal with security is failing our patients. A risk assessment certainly should be the first step for other organizations," he urges. "It helps prioritize [how to use] limited resources based on actual data, not anecdotal evidence."
The risk assessment involves looking at the network both internally and externally. Internally, hospitals and health systems should assess the risk of IT systems based on accessibility. An organization can bring in an external resource to run tools against the network to scan for vulnerabilities. "That measures exposure to people attacking from the outside," Mr. Doerr explains.
Another important aspect of the risk assessment is what Mr. Doerr calls social engineering. "Have someone come into the environment and attempt to gain access to information that he has no right to," explains Mr. Doerr. A popular way to do this is send someone in undercover with a fake badge, saying he or she is a new IT team member. The majority of the time, Mr. Doerr says, that person is allowed access to information he or she shouldn't be able to see. "It's an education measure," he explains, and urges organizations to teach employees from the lessons learned during a social engineering exercise.
After the security risk assessment at Baptist Hospitals of Southeast Texas, Mr. Toon and the IT team took several steps to secure its IT system and protect patient data.
First, the system implemented email encryption. "Encryption allows us to set parameters to look for [sensitive] information and attachments, and encrypt it automatically. It's a huge security step for us and has really paid dividends," Mr. Toon says.
After email safety was addressed, Mr. Toon and his team focused on internet security and content management. "We put in place multiple systems that allow us to track internet activities, block malicious sites automatically and block viruses," he says. "That has lowered the incidence of malware in our environment." Prior to installing the security systems, the hospital system saw 10 to 15 malware incidences per month. Now, Mr. Toon says, the number is down to one or two each year.
Further, Baptist Hospitals of Southeast Texas went on to regulate physical access to protected health information. To do so, Mr. Toon and the IT team made sure computer screens in public areas were not visible to patients and others when they walk by. Additionally, the system implemented screen locks and time-outs on computer monitors to further secure patient data.
Overall, performing the risk assessment and implementing new security measures may seem like a large up-front expense, but in the end can help protect an organization from potential legal or public relations issues down the road. Implementing email encryption and internet protection as well as limiting physical access to information based on vulnerabilities found during the risk assessment are effective ways to protect a hospital or health system from a costly data breach.
Crescent Healthcare Notifies Patients, Employees of Data Breach
5 Steps to Ensuring Hospital Data Security
While these technological advances are exciting and make caring for patients more effective and efficient, they can also leave hospitals vulnerable to data breaches. "We've seen a huge increase in hacking attempts," says Brian Doerr, senior vice president of IT for Community Hospital Corp. "Hospitals are putting in new technologies, but if they're not careful, they can open themselves up to more and more of that."
Of concern is the initial expense of installing stricter security measures along with new technologies. "Security technologies are not inexpensive," says Mr. Doerr. With many hospitals operating on razor-thin margins, it can be a difficult decision to invest in security measures if there has never been a data breach problem in the past.
Even though the initial investment in security measures can be a financial hit for hospitals and health systems, it is still much smaller than the cost of an actual data breach. "If you don't [address this] and you do have a major breach, it could close the doors of the hospital," Mr. Doerr says. The combined cost of possible lawsuits stemming from a patient information breach and the public relations and reputation cost that could shrink the organization's patient base can have a large impact on a hospital's revenue.
What to do
"Security is vital to the continued success of a healthcare organization," says Mr. Doerr.Since the impact of an IT security breach can be extremely high, it is critical to find and address any security issues as soon as possible. Organizations can do so by following these best practices:
Perform a security risk assessment
The first and most important step to making a hospital's or health system's IT system less vulnerable is to perform an annual security risk assessment, headed by the IT team with executive sponsorship.A risk assessment was the first step William Toon, CIO of Baptist Hospitals of Southeast Texas in Beaumont, took at his system's hospitals. "Delaying or failing to deal with security is failing our patients. A risk assessment certainly should be the first step for other organizations," he urges. "It helps prioritize [how to use] limited resources based on actual data, not anecdotal evidence."
The risk assessment involves looking at the network both internally and externally. Internally, hospitals and health systems should assess the risk of IT systems based on accessibility. An organization can bring in an external resource to run tools against the network to scan for vulnerabilities. "That measures exposure to people attacking from the outside," Mr. Doerr explains.
Another important aspect of the risk assessment is what Mr. Doerr calls social engineering. "Have someone come into the environment and attempt to gain access to information that he has no right to," explains Mr. Doerr. A popular way to do this is send someone in undercover with a fake badge, saying he or she is a new IT team member. The majority of the time, Mr. Doerr says, that person is allowed access to information he or she shouldn't be able to see. "It's an education measure," he explains, and urges organizations to teach employees from the lessons learned during a social engineering exercise.
Implement necessary fixes
After the risk assessment is completed, hospitals and health systems can then take necessary steps to fix any vulnerability found in their IT systems.After the security risk assessment at Baptist Hospitals of Southeast Texas, Mr. Toon and the IT team took several steps to secure its IT system and protect patient data.
First, the system implemented email encryption. "Encryption allows us to set parameters to look for [sensitive] information and attachments, and encrypt it automatically. It's a huge security step for us and has really paid dividends," Mr. Toon says.
After email safety was addressed, Mr. Toon and his team focused on internet security and content management. "We put in place multiple systems that allow us to track internet activities, block malicious sites automatically and block viruses," he says. "That has lowered the incidence of malware in our environment." Prior to installing the security systems, the hospital system saw 10 to 15 malware incidences per month. Now, Mr. Toon says, the number is down to one or two each year.
Further, Baptist Hospitals of Southeast Texas went on to regulate physical access to protected health information. To do so, Mr. Toon and the IT team made sure computer screens in public areas were not visible to patients and others when they walk by. Additionally, the system implemented screen locks and time-outs on computer monitors to further secure patient data.
Overall, performing the risk assessment and implementing new security measures may seem like a large up-front expense, but in the end can help protect an organization from potential legal or public relations issues down the road. Implementing email encryption and internet protection as well as limiting physical access to information based on vulnerabilities found during the risk assessment are effective ways to protect a hospital or health system from a costly data breach.
More Articles on Data Breaches:
3 Types of Safeguards to Protect Against Data BreachesCrescent Healthcare Notifies Patients, Employees of Data Breach
5 Steps to Ensuring Hospital Data Security