Why Are Healthcare Breaches on the Rise? (Part 2)
In my last blog post, I discussed how the visibility of electronic healthcare records (EHR), and the lucrative financial gain attackers can realize by stealing those records, has led to an increase in healthcare breaches. In this post I will explain why securing the records can be challenging, and what needs to be done in the industry to protect patients’ information.
The Difficulty of Securing Healthcare Records
Securing healthcare records can be a daunting task. Healthcare records contain a great deal of unstructured clinical data. Unlike an account number or social security number, it is more difficult to identify protected health information (PHI). In addition, the data flows across an entire ecosystem of healthcare, from the doctors and nurses doing direct patient care, to the labs performing analysis, back office billing and insurance claims and business associates providing their services. There is also a great demand for the use of iPads and tablets as part of patient care, and securing patient data on these devices is a very unique challenge. In many hospitals the doctors are not employees but rather contracting with the hospital, making it more difficult to implement a ubiquitous solution.
What Needs To Be Done?
Healthcare association administrators must understand that part of quality care involves protecting patient health information. They need to invest in their security organization’s staff and their security programs to protect the information. Healthcare security professionals are amongst the lowest paid in the profession. Healthcare CISOs must be enabled by placing them high enough in the organization so that they can influence operations and assist the management team in making informed decisions regarding healthcare data security. Healthcare entities and business associates need to have three key building blocks for security:
- Create a security strategy that aligns the security program with the healthcare culture and goals.
- Understand the real threats to the healthcare systems and patient data by reviewing the threat landscape that is impacting the safety of patients and their sensitive information.
- Take a holistic approach to security. Don’t allow the security program to be side tracked with media reports. The security program should always have the strategic goals in mind and should be adjusted as needed for changing threats and business conditions.
Organizations should start by understanding the organization’s goals for growth, new markets and culture. Then, they need to review the real threats facing the organization with a risk assessment and risk analysis to meet the requirements for the HIPAA Security Rule 45 CFR 164.308(a)(1). Finally, organizations should use the analysis as a foundation for the current maturity of their program and to guide the strategy implementation.
Once a CISO is able to speak to the healthcare administration staff with information that relates directly to their goals and culture, they will be much more successful.