No company is immune from the risk of information security attacks or breaches. Healthcare organizations may be at greater risk than other types of businesses, due to a number of factors including the vast amounts of information captured in healthcare organizations’ systems, the fact that workers in multiple locations may be accessing that information, and limited security measures in place.
Understanding the Risk
Keeping patient, clinic and hospital information secure is critical, but that’s a challenge that is becoming more difficult to address as the number of attempted breaches rises.
According to the U.S. Department of Health and Human Services (HHS), the reasons behind healthcare systems breaches run the gamut from email security breaches, lost devices, poor network security or hardware intrusion. The number of breaches currently under investigation (as tracked by HHS) and the number of affected patients, is staggering. In August 2017, data breaches had already affected more than 3.16 million patients’ records just in the first seven months of the year. When Anthem, Inc. was hacked in 2015, 79 million peoples‘ personal information was compromised in one attack.
When an attack or breach occurs, the outcome can be devastating for the organization. According to the Ponemon Institute, the average health care data breach costs about $380 per record impacted. The average total cost of a data breach in the U.S. is $7.35 million, which includes fines that can reach millions of dollars. It is critical to identify and implement best practices to help strengthen your healthcare business’ information security readiness.
Analyze Your Risk; Then Deploy Healthcare Information Security Solutions
Before you can implement solutions designed to protect patient information, you need to understand the risks your organization faces. Where are your risk points? That list may include your applications, end users, remote locations, back end systems and more.
Your information security solutions should include all of the following elements:
- Breach detection
- Secure email architecture
- Data analytics and logging tools
- Business continuity plan
- Disaster recovery plan
- Cloud and data center
- Data loss protection
- Identity and access management
- Encryption for mobile devices, portable media, backup tapes
- Risk and compliance policies and procedures
Test for Weaknesses
Don’t assume that your information security measures are working; regular testing can help you identify potential weaknesses and vulnerabilities before would-be attackers discover them.
Don’t Forget the Human Element
No matter how seemingly fool-proof your information security protection is, if your users don’t understand their roles and processes, they could inadvertently help facilitate a breach. Make sure user roles and security are defined appropriately, and that users understand they play an important role in protecting patients’ health information.
Similarly, it’s naïve to think that you will never have a breach, so make sure your issue response procedures are clear and that users know how to contain and react to breaches.
Using social engineering and security awareness training modules can be a valuable way to audit your employees’ preparedness to identify potential attacks, providing hands-on training to help you strengthen your defenses. Similarly, incident response planning can ensure your team is ready to handle a “real” attack when it happens.
Take Additional Steps to Protect Patient Health Information
Your healthcare organization captures, uses and retains a significant amount of confidential patient information. Without appropriate information security measures in place, your systems and that patient information is vulnerable to potential hackers, denial of service attacks, viruses and malware, and other risks.
Deploying advanced solutions can help keep information confidential and secure more effectively than selecting an off-the-shelf solution. For example, Enterprise Managed Intrusion Detection and Prevention services can be tailored to identify and mitigate your organization’s specific risks of being targeted.
Intrinium works with healthcare organizations of all sizes, helping address managed IT service needs, providing IT consulting and IT project management services, technical support, network management, managed security and monitoring services, compliance and audit services and much more. To learn more about how we can help protect the confidentiality of your patients’ information, contact us today at 866-461-5099, or online.