Mounting security threats up the ante on healthcare incident response
Data security is a top of mind for every healthcare organization. That’s no surprise given the ever-increasing frequency in breaches and cyberattacks. According to the Department of Health and Human Services’ Office for Civil Rights, as of June 2016 there were 142 data breaches reported – 48 due to unauthorized access, 43 due to hacking/network server incidents, 37 from lost/stolen devise and 4 from improper records disposal.
Healthcare remains an appealing target for cybercriminals and an industry rife with valuable data that’s even more valuable to malicious hackers. That’s why cyber incidents will remain a significant problem and a trend that, unfortunately, will only continue to increase.
To make matters worse, a recent study by researchers at three leading universities concluded that additional threats are coming from within ‘the house’ as clinicians and other staff are taking shortcuts and finding workarounds to security measures in an attempt to deliver better patient care.
Automated incident response is the answer
To address growing cyberthreats, the federal government has instituted mandatory data breach reporting and steep financial penalties for PHI (protected health information) breaches. When it comes to reporting and ensuring continuous improvement to guard against future risk to data security, the number-one best practice today is a well-conceived, executable and automated incident response plan (IRP).
Move away from manual processes
While seven-in-ten providers have an IRP in place, most are still based on manual, labor intensive, error-prone processes. A plan is only as good as its ease of execution. That’s why healthcare providers must embrace change and let go of manual processes in favor of an automated IRP workflow that better protects patient data.
Secure data and information is the chief reason to automate IRP workflow. But ROI is another big factor. With automation, you can get more accurate information about threats and breaches sooner so that you can avoid costly breaches and fines in the first place. Because, on average, healthcare providers are set back $2.2 million per breach incident with an average cost per patient record of just of $700. Those are big numbers over time when compared to the investment of automation.
Speed and process improvement are more reasons to automate. With IRP, your response team can execute faster for quicker resolution when compared to manual processes. Also, automation enables leadership and other key stakeholders to apply analytics and intelligence to support and measure continuous process improvement.
One final benefit of an automated IRP is that it can afford all users with a simple incident reporting tool across the healthcare enterprise. This means that anyone, be it doctor or pharmacist or nurse, who notices a potential security issue can immediately trigger an automated IRP that notifies front-line responder teams who can then escalate the response if warranted.
Take a comprehensive planning approach
An IRP is just one piece of the security response puzzle. It take more than this to ensure a comprehensive response plan. That’s why an effective incident response plan typically covers three important aspects – people, process and data.
Regarding people, it’s crucial that the roles of each person handling patient data are well identified, including all clinical staff, billing and administrative personnel, insurance agents, IT personnel, outside vendors, contractors, and others.
In terms of process, it’s important to clearly outline all workflows, including those tied to patients entering the ER, and the processes for admission, diagnosis and discharge. A vital part of the workflow also includes identifying who is responsible for inputting information into the system and how that information is safeguarded.
Lastly, pertaining to data, you need to segment different classes of data across the healthcare enterprise. This includes both data in motion and data at rest. Data in motion refers to data that’s moving through the network, including wireless transmissions, whether by e-mail or structured electronic interchange. Data at rest is data that resides in databases, file systems, flash drives, memory, and any other structured storage. In addition, there’s also data in use – this includes data that’s in the process of being created, retrieved, updated, or deleted. And, finally, there’s data disposed, which includes discarded paper records or recycled electronic media.
Encourage entire organization to embrace security measures
For healthcare organizations to make it in today’s high-risk climate, in addition to automation and process change there must be a shift in mindset and culture. Today’s security measures won’t be enough to thwart tomorrow’s criminals. The bad guys are always probing, testing, and looking for ways to exploit the system.
That’s why everyone in the organization must agree that privacy and security are a process; not an event! Budgets need to reflect this reality and adjust to the growing threats out there in the world. Investment and continuous improvement are the building blocks to stronger security and response.
No healthcare organization can afford to get hacked, breached or compromised. If you and your team share this outlook, then it becomes a priority to invest in tools, such as automated IRP workflow, to ramp up your response to growing data security threats.