During a time of great innovation in many industries, unfortunately one of the biggest developments in 2016 in the healthcare industry was the rise of cyberattacks – costing the industry approximately $6 billion. While many healthcare it companies want to point to the rise of electronic medical records as a point of innovative pride, it was also a flashpoint for hackers. It's the unintended consequence of ditching paper records for electronic, on in-house systems or in the cloud. It’s easier to steal or compromise a greater number of records at one time when they're digital.
The U.S. government recognizes this is a large problem and are beginning to take more proactive steps to counter the theft of EMR. The Department of Health and Human Services' Office of the Inspector General recently announced its intent to investigate how well providers are actually protecting EMR in its work plan for 2017, identify the privacy and security of this sensitive information as a top management challenge this year.
Why? The Federal Government is finally coming around to what we’ve known in the cybersecurity world for the past several years: technology is evolving too quickly for outdated systems to keep up with hackers. Internet of Things, wearable devices, mobile health technology are all muddying the privacy and security waters. Great for innovation, but terrible for cybersecurity.
It’s not that healthcare companies want to be breached – they just haven’t had the resources available to them to stop attacks seemingly coming from all corners. So what are the lessons we can all learn from these threats in order to start protecting ourselves and our patients’ sensitive information?
- Review the security of any EMR before you use it. Don’t think you must only turn to public clouds to store this data – private cloud options are more secure and cost effective.
- Train employees to recognize cyberthreats and other risks. Employee-caused data breaches, even unintentionally, are still a top reason protected health information falls into the wrong hands. Show employees what a phishing attack actually looks like, give them top tips about which data to post to the internet and what not to – make it “NSFH”, not safe for hackers.
- Back up EMR and other data responsibly so it’s available when a provider needs it, such as when attacked by ransomware. Consider self-encrypting drives to keep hackers out and patient care running in the case of an attack.
- Conduct a penetration test in your current IT environment to look for vulnerabilities of electronic patient information. Find out where you should be encrypting data and updating security patches.
- Use access controls. Restrict access to EMR to those who actually need it, and regularly review your audit trails.
We’ll be discussing this at length with those attending HIMSS in February, the largest healthcare IT show in America.
The good news is you don’t have to wait for HIMSS to learn more – contact us today so we can show you how our managed security services for on-premises or cloud environments will extend your IT teams, unburden them, and secure your data.
US Cyber Vault is a leading sponsor of the Cyber Security Command Center at HIMSS 2017 in Orlando, FL - Feb 19-23 both in the Cybersecurity Command Center at Kiosk 376-13 and in our own flagship booth 487 right next to the Command Center.