By Brian Stone, VP of Customer Success, FairWarning
Twitter: @FairWarningInc
Healthcare IT security pros face the important and difficult task of keeping patients’ sensitive data secure. This type of data is a prime target for cybercriminals, since health records contain more personal data points than, say, credit card data and cannot just be reissued if a breach occurs. Consequently, health data sells for far more on the black market than other types of stolen information.
This underscores the need for a robust healthcare security and compliance strategy. But for community or smaller regional hospitals, it is often challenging for IT teams to garner the financial backing and support from executives that they need to comply with regulations and keep patient data safe. With the right tools and support, though, it is possible to craft a culture of privacy and security at small hospitals that will reduce the number of incidents.
Data, Data Everywhere
A common misconception among community or regional hospitals is that they don’t need the same level of security as the big players in the healthcare space. They can’t possibly be as attractive to cybercriminals as the big medical centers, right? But what they don’t know is that they are more likely to be targeted due to their perceived weaker security protocol.
Another security threat comes from the healthcare industry’s adoption of cloud-based applications, which have become business-critical, storing vast amounts of sensitive or proprietary information. Smaller organizations are the gatekeepers to massive quantities of patients’ private health information but may not realize it. Privileged insiders like network administrators or users with elevated permissions have access to this information and may carelessly or maliciously misuse it, causing audits, exposure to risk and heavy fines.
Large healthcare systems have the financial and personnel resources to dedicate to a robust privacy and security programs. This, in turn, allows them to better handle the full lifecycle of privacy and security incidents to drive risk out of their organizations. So, attackers target community hospitals because they tend to have weaker security measures.
The wider problem here is that the attack compromises more than just their data. These facilities are actually connected to bigger hospitals through systems that enable them to gain access to the larger organizations’ data as well – including the sharing of systems after a merger or acquisition.
This sharing of information is common in the era of electronic health records (EHRs).
Patients seen at a community healthcare organization sometimes need to go to a larger organization for treatment. So, the organizations are sharing patient data. This creates greater risk, as it allows for even more people to have access to patient records. This trend is increasing as the industry pushes for more access to health records. How is your small hospital going to protect them?
Strengthening Your Security Posture
Just because smaller hospitals have limited resources doesn’t mean they are helpless against today’s cyber-attacks. Here are three primary ways that community and regional hospitals can protect themselves and their counterparts:
- Use Cloud Monitoring
The more insight you have into how users are interacting with your applications, the more you can secure and optimize your business systems to produce the best outcomes possible. By monitoring your cloud-based environment, you can avoid regulatory fines and business interruption and ensure trust among customers. Monitoring provides the added benefits of greater visibility into usage and adoption, performance and compliance. - Train Your Workforce
Training in compliance, security and accountability helps to create a strong culture that benefits everyone. Training users on security and regulations contributes to a successful strategy. Governing and sanctioning offenders strengthens accountability, but rewarding positive behavior will further strengthen your culture. The idea is to move towards preventing data breaches due to insider error rather than discovering them after the fact. - Call in the Experts
Smaller hospitals often lack specialized IT skills, so a third party can act as a mentor and help monitor your system. A third party takes that extra monitoring load off IT’s plate and educates the community hospital on the need to comply with compliance regulations. A service like this can train new employees and conduct ongoing, targeted training that is more efficient. A third party can see that a certain region or department had the most violations in a specific time period and then provide training on proper use to protect both patient data and the organization.
Small But Strong
Small and regional hospitals are at a disadvantage compared to their larger counterparts when it comes to compliance and security. But they have to abide by healthcare regulations, too, or risk not only fines but loss of patient trust as well – which is so crucial in a healthcare setting. Use the three steps notes above to stretch resources further and strengthen your data security and privacy.