How To Prevent a Data Breach

Patient health data and financial information are two attractive and lucrative targets for cybercriminals. Hackers that are able to breech a healthcare provider's data security use this information to commit identity theft or medical insurance fraud. That payoff is fueling more attacks on the healthcare industry than ever before, and while hospitals house larger troves of valuable data, smaller practices shouldn't assume this means they won't be targeted.

Four out of five healthcare executives report that their IT has been compromised by hackers, according to a recent KPMG survey. Yet despite the mounting attacks, few providers are adequately prepared to defend their data. The survey found that just 53 percent of providers and 66 percent of payers consider themselves ready to defend against an attack.

"The magnitude of the threat against healthcare information has grown exponentially, but the intention or spend in securing that information has not always followed," Michael Ebert, a KPMG partner and healthcare leader at the firm's cyberpractice, told CFO magazine.

"Healthcare providers are more vulnerable to a cyberattack."

Cybercriminals are becoming increasingly sophisticated in the technologies and methods they use to deploy attacks and access secure data across industries. Yet a number of factors make healthcare providers more vulnerable to a cyberattack: antiquated EHR and clinical applications that don't have up-to-date security provisions, the automation of clinical systems and the ease of distributed patient health information across internal laptops, thumb drives and mobile devices as well as external cloud-based storage solutions and third-party systems.

With so many points of entry and egress for data, hospitals and clinical practices must take a unified, comprehensive approach to keeping cybercriminals at bay.

The high cost of poor preparation

A data breach can be disastrous for a practice, both financially and in terms of community reputation. While half of healthcare providers reported that regulatory enforcement was a top concern with cybersecurity, 45 percent listed litigation, according to the KPMG survey.

Keep in mind that it's not only a cyberattack that triggers a data breach or forces patient notification. HIPAA requires doctors to notify patients when their data has been compromised, no matter how much time has lapsed between the breach and recognition of the breach.

The requirements also apply even if the data wasn't used for nefarious gain and was safely restored and corrected. When an employee at Rady Children's Hospital in San Diego accidentally emailed an attachment including patient data to four job applicants, believing the file to be a training exercise, the security team didn't spot the breach until two years later. Yet when they did, the event caused the hospital to mail more than 20,000 HIPAA data breach letters to its patients.

Receiving such a notice can dramatically shake a patient's faith and trust in the practice. When patients flee following a data breach, a practice's bottom line takes a hit as well.

"When it comes to data security, prevention is key."

Strengthening security

When it comes to data security, prevention is key. Here's how to shore up your cybersecurity to minimize vulnerabilities and help ensure the safety and security of your patient data.

1. Take a data inventory. A thorough security management initiative begins with understanding where practice data is collected, how it's transmitted and where it's stored. You can work with an internal IT provider or a third-party security expert to develop a framework for safely accessing and shepherding data across your practice's information ecosystem.
2. Shore up compliance. The evolving nature of health IT makes it all too easy to let security protocols slip out of date. Now is the time to check your practice's adherence to the National Institute of Standards and Technology's Risk Management Framework and to make sure your patient health IT practices are in accordance with HIPAA standards.
3. Prioritize training. Your administrative staff might not knowingly make the practice more vulnerable to a data breach, but that's just what could be happening if they use mobile devices or flash drives to access clinical data while out of the office. Set periodic training reviews for all staff to cover best security practices, including limiting remote access via laptops or mobile devices and logging out of portals when not in use.
4. Make a breach plan. The time to decide how your practice will handle a cyberattack or suspected data breach isn't when emotions are high but when you can calmly consider the scenario from all angles. Make a plan now, including details such as which vendors and third-party contractors would need to be notified and when as well as which systems and applications would need to be locked. Then distribute the plan to all employees and store a hardcopy in the office so everyone knows exactly what steps to take should a data disaster strike.