Security continues to be top of mind for healthcare professionals, and according to a Health IT Outcomes survey, PHI security is the top 2016 priority for more than 42% of healthcare executives. The risk of being hacked today is increasing exponentially due to the huge surge in devices and data being used and shared.
Over the last few years, healthcare systems have been targeted by various security threats. In 2015, major health insurers Anthem, Premera and Excellus headlined a long list of hacked healthcare organizations in the United States. These three organizations alone resulted in the leak of more than 100 million patient records, and the Anthem breach by itself more than doubled the number of people affected by breaches in the health industry since 2009.
Hackers in the healthcare system are like bacteria, mutating quickly to change the way they attack. In order to stay a step ahead and protect critical PHI, healthcare organizations must stay on top of what’s happening, try to predict hackers’ next moves and understand how and where PHI is shared. Healthcare providers will need to be more proactive about potential hacks and take security threats more seriously by:
- Educating physicians on the value of security: Many physicians experience a slowdown in their daily processes when security is added to their systems – taking time away from their patient visits. Security can also be expensive to add for healthcare organizations. While antivirus solutions have become reasonably inexpensive, other necessary solutions like data loss prevention (DLP) and encryption can cost significant amounts not only to purchase, but to implement and support. Organizations need not only to balance security controls to ensure they don’t impede physicians’ efficiency, but they also need to work with physicians to help them understand that value of security outweighs both of the aforementioned concerns. A data breach not only means that protected patient health information is exposed, but also threatens the reputation of the provider organization.
- Understanding how vendors store and transmit patient data: So much patient information lives in external, third-party organizations. However, IT security is a complex issue, and that complexity – along with the overwhelming number of vendors in the space – can be off-putting to clinicians. Providers have an obligation to their patients to understand and ensure that these organizations are taking measures to protect that critical information. Periodically, providers must compare each healthcare organization’s benefits, and also look at how each vendor stacks up when it comes to security procedures by asking questions like, “When was your last risk assessment?”, “How do you encrypt data when it is stored?” or “What data do you share with third-parties?” Providers have an obligation to themselves, and more importantly, to their patients to thoroughly vet every vendor they share their PHI with.
- Understanding recent updates to privacy and security rules: Despite recent breaches, many providers still don’t understand the privacy and security regulations. Too many physicians I meet have lingering confusion about HIPAA, as well as standard security protocols. Privacy and security laws and regulations are constantly updated to account for the ever-changing risk landscape and protect consumer privacy. Physicians must be up-to-date on these healthcare regulations to not only prevent a hack, but to ensure that patient information remains protected.
More physician education needs to take place related to the intricacies of the healthcare system and the responsibilities and security procedures of healthcare organizations. In 2016, I trust that providers will look at more ways to partner with physicians and improve their efforts around the issue. Security is invaluable and needs to be managed more carefully as everyone’s personal data is on the line.