The Harsh Reality about Healthcare Security Breaches
As of August 18, 2015, total data breaches as reported by the Identity Theft Resource Center (ITRC) are up 2% this year, not including the recent Ashley Madison data breach. (Full ITRC Report) Out of 505 total reported data breaches, 35% (176) of those were in the healthcare industry. Out of 139 million records, 78% (109 million) were from the healthcare breaches.
Hospitals house a tremendous amount of personal data, including financial data, social security numbers and, of course, health information. The cost for a healthcare data security breach was estimated at $300 per record on average this year by the Ponemon Institute in their May report. Using that average, the current cost of healthcare data security breaches to date just this year totals $32.7 billion.
Understanding Healthcare Cybersecurity
Cybersecurity is more important than ever. What can the healthcare industry do to prevent security breaches? There is no bullet-proof method to prevent a data breach. However, there are numerous guidelines in place to safeguard protected health information (PHI) – just to name a few:
- Secure passwords
- Access controls
- Proper data destruction
- Antivirus protection
Security Begins with People
Let’s get real, though. Security begins with people. So much time, money and effort is spent on maintaining and putting in place the right technical requirements for cybersecurity – well spent time, money and effort, but wasted if the proper training isn’t implemented as well. How many people have sat through detailed, systematic but imminently boring cybersecurity training? Change your passwords, follow these 50 rules, and don’t do this, never ever do that… now everyone checks the box that their training is complete for the year.
Let’s say it again – security begins with people. Implement security awareness training for anyone who uses a computer. The biggest oversight most healthcare organizations make is neglecting the training of end users. Then ask the following questions:
- How much information was retained from the training provided?
- Are people invested in maintaining security?
- Do they know how important they are to the process?
- Do they know that they can make changes that will help overall security?
- Do they have a forum to discuss changes?
- How can the healthcare industry make this happen?
Make Security Real
One thing healthcare companies can do to implement effective cybersecurity procedures is relate security to people. Ask employees questions, allow for feedback, help them understand that what they do every day makes a difference and they can make small changes that have a big impact. They know the risks better than anyone and are the best to bring up potential security issues and help address them. Give them real world examples that make security relatable to their everyday lives and paint a picture of security everyone can understand. Do they leave bank statements lying around in public places? Was the last argument they had with their significant other broadcasted live via Periscope for the world to watch? Those personal matters relate to protecting PHI in paper form and in conversations that can be overheard. They are just the beginning of understanding all that goes into cybersecurity and data security.
Risk management is essential. Play the “what if” game, also known as risk management scenarios. This is another area where providing understanding rather than rules to memorize is the key. An inane example I recently used was for my daughter heading off to college for the first time. I asked her the following: what if she was doing all her laundry at once and the dryer caught on fire with everything she had except the clothes she was wearing? After looking at me like I was crazy, she ran through some possible outcomes. She suggested desperately trying to pull clothes from a burning dryer (no.) She then suggested that she should address the fire, with extinguisher and a 911 call, and then call me for money for new clothes (that works.) Guess what, she just did risk management. She envisioned a scenario and provided procedures to enact should such a scenario occur. The basic outline for risk management can be broken down very simply. Play “what if” to get a scenario and then follow the simple flow chart:
The threat of cyber attacks continues to grow. With an ever-increasing number of internet-connected devices accessing our networks, hackers have an increasing number of ways to exploit vulnerable systems and steal information. On the bright side, there are many ways healthcare organizations can improve cybersecurity – technical, physical and training. For best results, start with the people who will use it every day and follow the tips above.