Recent high-profile cybersecurity breaches underscore the immense challenges of electronic data protection.
The Equifax credit bureau incident reported in September exposed sensitive financial records of nearly half the U.S. population. Last year, Yahoo announced the largest data breach in history, affecting more than one billion users. The only safe assumption about cybersecurity is that every industry that shares and stores sensitive information is vulnerable – making healthcare a prime target.
The good news is that protecting information is already routine in healthcare. For more than two decades, the Health Insurance Portability and Accountability Act (HIPAA) rules have outlined administrative, technical, and physical safeguards for personal health information privacy in the United States. HIPPA adherence satisfies legal requirements for protection, but many experts agree it does not necessarily instill the ongoing vigilance needed to ward off the increasingly intricate cybersecurity threats we face today. In short, HIPPA, itself, is not a cybersecurity strategy, and data breaches in healthcare are on the rise.
The U.S. Department of Health and Human Services has received more than 300 breach reports to date for the current year – more than twice the number reported in 2016. Hospitals and health insurers were targeted the most. Companies that they contract with, including data management and quality solutions providers, comprised the rest.
While only a small percentage of the healthcare breaches involved outside vendors, these trends warn that companies can leave hospitals and health systems vulnerable to attacks. In other words, finding a vendor that is vigilant on cybersecurity is just as critical as safeguarding internal organizational processes. The following tips offer guidance for hospital decision makers on choosing vendors committed to cybersecurity.
1) Talk about cybersecurity, and then talk about it more. No company should shy away from this topic. For example, at Q-Centrix, we aim to provide a level of transparency that allows our clients to rigorously assess our cybersecurity standards and practices. Plus, organizational workflows and processes are constantly changing, including those supported by outside vendors. Thus, uncovering a potential weakness and resolving it is a continuous process. Cybersecurity should be a discussion focal point before any agreement is signed and then continue as part of an ongoing dialogue between the vendor and client. One way hospitals can approach this is to form an information security taskforce that vets all vendors and reviews their cybersecurity practices on an annual basis.
2) Find out if the vendor meets the industry “gold standards.” When it comes to cybersecurity, ongoing vigilance is key. Best practices include regular vulnerability scans and penetration testing. A vulnerability scan uses a computer program to detect weak points in computer networks and equipment, such as identifying breach-susceptible software code. Code manipulated by hackers can cause major disruptions, including the unmasking of encrypted information. Penetration testing takes things a step further to demonstrate how effective a company’s existing security controls are in detecting and responding to an attack. Companies should be able to tell clients if they recently underwent these assessments. Those that skip them remain in the virtual dark about their cybersecurity weaknesses.
3) Ask about the vendor’s vendors. You may be confident your vendor’s processes are secure, but what about the companies it subcontracts? The amount of work that is outsourced, and to who, may impact cybersecurity. Companies that use their own staff, where possible, generally have more control over how individuals access sensitive information. For example, at Q-Centrix, we have a client services team of more than 800 quality experts who we can verify are handling electronic medical record data in accordance with our security standards. However, for email and cloud data storage, we need to rely on outside support. For this, we turn to reputable names in the industry that have strong track records of keeping information safe.
4) The little things matter. Vendors whose services are driven by multiple users who view, add, or edit sensitive information should incorporate the latest login security controls – so find out if yours do. This may seem like a small detail, but it can mean the difference between breach and no breach. One relatively easy-to-implement protection that builds on the long-time username and password model is two-factor authentication. This requires users who begin signing in with a password to retrieve and enter a second code sent via email or text message to a smart phone or other preferred device. Many credit card companies and email providers, such as Google, are already using this technology to improve security – and it’s quickly becoming the norm in the healthcare data management and quality space.
5) Ask if the vendor has cyber-liability insurance. Businesses based on sharing and storing sensitive information over computer networks, including data management and quality solution providers, should consider purchasing cyber liability coverage. Policies come in many flavors, but generally cover a company’s liability for a breach of customer data, such as personal health information. It typically includes recovering compromised data, notifying clients about a breach, and restoring personal identities for affected individuals. Finding a best-fit is paramount to protecting any business.
Following these tips will help you seek out vendors that value your cybersecurity as much as they do their own. The companies that do it well aren’t just following the best practices but are constantly challenging the status quo to create them.
Mitchell Bragg, Esq., also serves as Q-Centrix’s Privacy and Security Officer, providing oversight of the company’s information security program. In October, he participated in an expert panel discussion on cybersecurity at the Healthcare Information and Management Systems Society 2017 Midwest Fall Technology Conference in Indianapolis.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.