Cyberattacks targeting patient electronic medical records are on the rise. It is going to take a complete overhaul if data breaches are going to be stopped. The healthcare community, including health insurance carriers, cannot be insouciant about this threat. It needs to bring outsourcers on board to build protections with martinet vigilance.
Hospital IT departments and medical groups are not cybersecurity experts. Their job is to maintain the Internet as an information highway providing doctors, nurses, rehab specialists, pharmacies and laboratories easy access to great amounts of patient information in a short amount of time.
The two biggest threats to these digital libraries come from identity thieves and baleful characters phishing patient medical status information databases. The latter are zealots possessing some kind of distorted view of the Open Access Movement’s public right to know.
It is not inconceivable to believe their cyber-break-ins can reveal if a particular woman had an abortion, if a candidate for public office is under a doctor’s care, if a government official is collecting information affecting the reputation of an ideological opponent, and other nefarious intrusions. So far, patients are using class-action lawsuits as a recourse, but that is a reactive strategy when a proactive plan is warranted.
In March 2015, Washington based Pemera disclosed a data breach of 11 million current and former clients records. Thirty-eight class action lawsuits are on file claiming there has been identity theft. Gizmodo reports another 1.5 million health files were made public in September 2015 with a breach of the cloud-computer platform Amazon Web Services. Sutter Health notified 2,500 people that their sensitive medical information was emailed to a personal account by an employee. Negligent insiders pose a grave risk to patient data. The reveals of cybersecurity risks to medical information seem endless.
Furthermore, HealthCare.gov records stored in a computer system with security flaws made the Social Security numbers, names, birth dates and phone numbers of millions of patients vulnerable. Now they are going to initiate weekly vulnerability assessments of their $110 million system. Why was that not part of the established protocol?
A 2014 report on the State of Cybersecurity in Health Care Organizations by the SANS Institute suggests cybersecurity risks increase as healthcare providers rely more on mobile devices, which are less secure than desktops and laptops, to deliver healthcare information. SANS further notes that people surveyed have growing concerns about the security of patient information available online and through mobile apps.
Healthcare managers are working with legacy systems to protect vulnerable data while complying with regulations. It is a complex problem but strides are being made. Data are being encrypted at their source. Data breach detection systems (BDS) are among new technologies in the data security defense system. Advance persistent threats (APTs) technologies are coming into service. Cloud control is improving.
Nevertheless, according to the SANS report, only 24% of those surveyed believe their ability to counter security threats is adequate, and only 6% believe their cybersecurity systems are excellent. Sadly, only the largest and most profitable healthcare providers can afford the non-revenue producing cybersecurity technologies.
We recommend an enhanced set of tips from those provided by HealthIT.gov. First, create a security culture. Train all employees (from management to housekeeping), patients, suppliers, and volunteers about the security measures and the need for vigilance. Mobile devices need protection along with every computer system in the facility. Firewalls and anti-virus software must be installed and maintained. Tests, assessments, and password changes must be done regularly, and limits must be placed on access to information.