As healthcare evolves to include more interoperability, telehealth, value-based care, and more, so has our definition of “patient care.” Caring for patients involves addressing social determinants of health, combating misinformation, and protecting patients’ data and health information.
Cybersecurity threats are increasingly common, costly, and disruptive. There were 958,000 health records breached in January alone. The industry is a major target for bad actors due to its size, the value of patient data on the “dark web,” and multiple stakeholders — patients, providers, payers, vendors, and more. While technology can help connect patients with providers, enhance the patient experience, and improve health outcomes, it is imperative that this technology is approached with extreme consideration.
The COVID-19 pandemic has exacerbated healthcare’s cyber vulnerabilities. Relaxed regulation of telehealth, increased remote work, and other changes, while necessary, created opportunities for attacks. With cyber-scammers now using vaccinations to phish and prey on patients, cybersecurity is top-of-mind for many. Combating these threats is one of the many hard lessons the pandemic has illustrated. We can apply these lessons to better understand how practices can safeguard their patient data.
How to Optimize Cybersecurity and Compliance at Your Practice
Addressing cybersecurity and compliance at your practice can be intimidating. The good news is you don’t need to do it all yourself. Two questions every practice or office manager should consider are: What can we do ourselves? What should we outsource to experts?
Practices can start by creating a culture of cybersecurity and compliance, adding related discussions to weekly or monthly meetings. Rather than a one-time or annual info dump, consider implementing a routine cadence so cybersecurity is a priority. Emphasize the “why” of cybersecurity and compliance before focusing on the “how.” Incorporate “active” training, such as simulating a phishing attack, as well as “passive” training, such as watching an informational video. This can lead to increased buy-in from all staff by stressing the vital role each person has in protecting patient data. As Harvard Business Review noted, “Human error, including falling for phishing attacks, is the leading cause of major security breaches today. Health care systems should regularly remind people of the importance of information security best practices through required training, strategic reminders, and other means.”
ChristianaCare’s Chief Information Security Officer, Anahi Santiago, echoed this idea in an interview with Healthcare IT News: “Cybersecurity isn’t just about blocking and tackling or about process and technology. The human component is integral to the success of information security programs.” Once you’ve emphasized the important role providers and staff play in guarding patient data, focus on actionable steps to improve your cybersecurity and compliance. The Department of Health and Human Services (HHS) offers a thorough list of cybersecurity tips for healthcare:
- Establish a Security Culture
- Protect Mobile Devices
- Maintain Good Computer Habits
- Use a Firewall
- Install and Maintain Anti-Virus Software
- Plan for the Unexpected
- Control Access to Protected Health Information
- Use Strong Passwords and Change Them Regularly
- Limit Network Access
- Control Physical Access
Furthermore, the Advisory Board recommends practices “ensure regular technology updates or patches, conduct annual employee training programs, execute backups and ongoing testing.” Implement two-factor authentication for an added layer of protection, and consider purchasing cyber liability insurance. You might also create a risk management protocol and inventory of all systems that contain — or could contain — electronic protected health information (ePHI).
For the next-level of cybersecurity protection, you may consider partnering with a specialized organization. A trusted, experienced cybersecurity partner may offer the following services:
- Routine vulnerability scans
- Antivirus and malware protection for servers
- Review of firewalls for compliance and best practices
- Share updated HIPAA security policies
- Assist with Security Risk Assessments (SRAs)
- Monitor large downloads of exfiltrated data
Finding the right partner will depend on your organization. Hospitals and small, independent practices have vastly different cybersecurity needs. However, the right partner can provide more than technical support and expertise. For instance, they can translate complex regulations into digestible steps and insights. A partner may even access advanced technology tools, such as artificial intelligence (AI) and robotic process automation (RPA), to improve the patient experience and provider workflows.
An increased focus on cybersecurity and compliance will extend far past the pandemic, especially as interoperability and remote patient monitoring (RPM) advance. Breaches can not only harm patients by exposing their health information, but may also carry hefty fines and cause reputational harm to your practice. Therefore, practices should address the threats head-on by creating a culture of compliance, taking actionable steps, and considering an IT partnership to increase capabilities.