Although healthcare organizations handle a great deal of highly sensitive personal information, new reports show a troubling lack of awareness and training in the areas of security regulation and policies in U.S. and Canadian institutions. Because the level of security awareness is inversely related to breach risk, this could present serious difficulties for healthcare providers attempting to maintain compliance and keep patient information safe from cybersecurity threats.
The Extent of the Problem
The medical sector is subject to twice as many attacks as other industries, likely due to the high value hackers place on medical records, but healthcare employees may not be getting the information they need to follow cybersecurity best practices. According to part two of Kaspersky’s State of Cybersecurity in Healthcare report:
• 40% of North American healthcare workers aren’t informed about any cybersecurity measures in place to protect workplace IT devices
• 32% of employees know a cybersecurity policy exists but have only read it once
• 32% haven’t gotten any cybersecurity training
• Only 29% could properly identify the meaning of the HIPAA Security Rule
• 1 in 10 managers are unaware of cybersecurity policies within their organizations
In another report focusing on ransomware, healthcare employees were presented with a hypothetical situation in which a third party requested protected patient information via e-mail. Twenty-seven percent weren’t sure how to respond or had no problem complying with the request. This shows a distinct absence of crucial cybersecurity knowledge, which is further demonstrated in a study by Wombat Security showing healthcare employees gave incorrect answers to 23% of questions regarding IT security best practices. This places the industry just behind hospitality in its inability to identify a proper approach to securing sensitive data.
Introducing Better Training
An increase in training is necessary to start correcting healthcare security problems, but not all employees agree. Among those in the U.S., 19% don’t think cybersecurity training is necessary. However, another 19% of employees agree they could use more training. It’s up to employers to begin creating workplace cultures designed to encourage security, starting with robust employee onboarding programs and continuing with relevant training to maintain awareness of emerging threats.
Employees should know:
• Procedures for the proper collection, storage, transmission and protection of patient records
• How to manage passwords and devices securely
• The details of HIPAA and other privacy regulations
• Best practices for compliance, including administrative procedures, technical safeguards and physical protection of devices and records
Protecting Ubiquitous IT Devices
Healthcare organizations rely on a multitude of devices to manage patient care on a daily basis. Employees use computers, laptops and mobile devices to access and amend health records, and many procedures require complex machinery made to collect information about patients’ health.
Any of these devices could be hacked if even the smallest security loophole exists, but digital protection isn’t the only concern. Theft or unauthorized access could easily occur if employees leave devices unattended without properly safeguarding them. Remote workers present additional security challenges, since many use personal devices for work purposes and don’t always follow security best practices for network access or device management.
Increasing Cybersecurity Budgets
Eighty-two percent of hospitals report dealing with security incidents, but only 5% of a typical budget goes toward cybersecurity efforts. This can create barriers to adopting new, more secure technologies and may be part of the reason why 69% of healthcare organizations are still using some legacy systems. Many of these systems are no longer supported by the original distributors, meaning security upgrades aren’t available and software can’t be updated for protection against new and emerging threats.
However, changes are happening. The Healthcare Information and Management Systems Society (HIMSS) reported cybersecurity budgets were on the rise in 2019. Fifty-five percent of healthcare organizations said they were putting some of their IT budgets toward cybersecurity efforts, and 38% raised their budgets by 5% or more.
Prioritizing Patient Safety
The ultimate goal of any healthcare organization should be to protect patients and do everything possible to ensure positive outcomes. Cybersecurity has become a critical part of this process, with patient confidentiality being of utmost importance. This requires chief information security officers (CISOs) to prevent breaches through the implementation of aggressive and proactive measures for detecting and stopping malicious activity. Executing these procedures from the top down ensures everyone in a healthcare organization is on the same page when it comes to handling threat risks.
As unsettling as security statistics out of the healthcare industry may be, it’s possible to improve the way organizations manage network access and protect patient data. Raising awareness among CISOs, executives and healthcare providers can lead to better risk management and stronger fraud prevention efforts. With new policies in place, the healthcare industry can re-commit to protecting the privacy and well-being of the people it serves.