Electronic Health Records (EHRs) are credited with improving patient care and care coordination, increasing patient participation in health care decisions, improving health care practice efficiency, and reducing costs of healthcare services. On the downside, EHRs also expose healthcare facilities and medical practices to significantly higher risks of data breach and cyberattacks.
As more personal and medical information is maintained electronically, a larger pool of hackers will be drawn to that information because of its high value in the cybercriminal underground.
The higher cyberattack risk in the healthcare and EHR industries is a function of several factors.
- Healthcare cyberdefenses have not kept pace with HER expansion;
- Healthcare technology still uses embedded legacy software that has not been ungraded with enhanced security;
- Healthcare facilities and medical practices do not believe that they are at risk of experiencing a cyberattack;
- EHR information is an attractive, high-value asset for cybercriminals;
- Healthcare facilities are uniquely prone to ransomware attacks because they cannot delay the delivery of services because a network is inaccessible;
- Healthcare organizations have not defined or centralized cybersecurity teams, leaving strategic decisions to a disparate group of IT professionals that have no global authority to implement effective cyberdefense strategies.
Data Breach And Electronic Reporting
Healthcare facilities stand to lose substantial financial resources when they experience a successful cyberattack. Federal regulators, for example, imposed a $5.5 million fine against Chicago-based Advocate Health Care following that organization’s loss of a large number of patient records that were stored on a personal computer that thieves physically removed from a facility. That fine was in addition to the other costs and expenses that Advocate Health faced to recover the lost data and to establish credit-monitoring services for patients whose records had been stolen.
[pullquote]None of these problems indicate that the cybersecurity situation for healthcare and EHRs is beyond repair.[/pullquote] Healthcare organizations can improve their cybersecurity environments first, by taking stock of the systems and devices in their facilities and adding strong encryption protection over patient data that is generated and stored in those facilities. Those organizations should also adopt a regular program of training healthcare providers in cybersecurity basics. Because EHRs connect different nodes within the healthcare service, sector, organizations should examine supply chains to detect weaknesses and to implement best practices that stand out within those supply chains.
From a technology perspective, healthcare organizations should consider using stronger data authentication routines and “tokenizing” sensitive data, which effectively limits access to that data to a smaller pool of individuals. EHR network access can be made more secure with biometric technology and other login procedures that raise the bar against attempts by unauthorized parties to log in to healthcare networks.
Cybersecurity insurance is the ultimate end game for cybersecurity in healthcare. The cybersecurity insurance industry is barely ten years old, but banks, professional service providers, and large corporations have jumped at the opportunity to insure themselves against the inevitable cyberattacks that they face every day. Healthcare organizations have not been as quick to procure cybersecurity insurance, possibly because healthcare providers have downplayed cyberattack risks. Situations like the Advocate Health data breach and the losses and fines that it spawned are quickly changing this perspective.
Cybersecurity insurance can reimburse healthcare entities for their direct losses from a ransomware attack or data breach. It can also provide compensation for third parties whose data was compromised in the breach and pay at least a portion of the fines that regulatory bodies might impose when a healthcare data breach creates a HIPAA or other healthcare data privacy violation. Most critically, cybersecurity insurance can keep a healthcare facility up and running to enable care providers to continue to provide necessary services to their patients.
For more security-related stories and information from us here at Bit Rebels, click here.