Ask someone to name the top priority of a healthcare organization and they'll probably say “providing excellent patient care.” But if you ask someone to name a second top priority, they might add, “IT security.” Recent breaches like those impacting Community Health Systems, Premera Blue Cross and Anthem - which collectively affected almost 30 percent of the entire U.S. population in under a year - have turned cyber security into an urgent concern for every healthcare organization.
Consider the repercussions of just one breach. A damaged business brand. A widespread loss of patient faith. Sky-high HIPAA fines. Remediation costs. A cyberattack can be disastrous for any entity dealing in healthcare data, whether an insurance company, hospital or clinic. And concerns about such ravages aren’t restricted to boards of directors and IT teams; many healthcare consumers are well aware of breaches and rightfully anxious about their names, social security numbers, birthdates and other personal data falling into criminal hands.
But what many people don’t realize is the connection between security and patient care – the reality that strong access control is also essential for informed treatment and optimal patient outcomes.
In a world where healthcare is increasingly mobile, doctors often require medical data on the spot. Physicians float between hospitals, clinics and private practice offices, checking patient information from a variety of devices. A host of new telemedicine apps and tools allow patients to be treated by their providers back home no matter where they travel. Staff may need to share test results with other facilities or check an unconscious emergency room patient’s medical history. Keeping data available, confidential and safe isn't just a business concern – it allows healthcare personnel to provide the best patient care possible.
This leaves IT teams with a dual task: implementing security solutions that both protect electronic protected healthcare information (ePHI) and empower doctors to save lives.
Why Stronger Security Equals Stronger Care
Healthcare IT teams already juggle a host of complex responsibilities. Doctor opinions are weighted heavily when it comes to technology adoption; business departments frequently choose new solutions and leave it up to the IT department to manage their technology stack in a way that satisfies compliance regulations and protects data.
But recent technological advances means security teams must also understand the gravity of the vulnerabilities they manage. IoT developments include "smart" medical devices, some of which can act as a conduit into an organization’s network. In cybercrime terms, malicious actors could change a temperature setting on a refrigerator holding biopsy samples or alter the dosages on a patient morphine drip. One real-world example: former Vice President Dick Cheney, had a computerized defibrillator implanted to regulate his heart rate and shock him back to life if necessary. Yet because the tool could be remotely reprogrammed, it was a potential target for terrorists – and so the remote feature was disabled.
Another top challenge facing security teams: keeping login credentials out of criminal hands. Attackers are well aware that valuable data flows back and forth between a variety of devices, facilities and departments; they also know that exploiting access vulnerabilities can give them the keys to a rich treasure trove of patient data. More than ever, healthcare security teams must provide staff with safe remote access to EHR/EMR applications and ePHI – in a way that meets the physician’s need for speed and flexibility, of course.
The reality is that doctors and administrators demand remote access to healthcare data whenever and wherever they need it - and if security and authentication measures are inconvenient for them, they’ll often find a work-around that goes against organizational policies and can put the organization and its data at risk. That's a security gap no team can afford to ignore.
So how can healthcare IT teams keep their data and their patients protected? Here are a few guidelines on proactively minimizing risk before an attack.
- Look at where ePHI is stored in organization and how it’s transmitted and accessed. Remember to examine not just technology, but people and processes too. That includes the remote access procedures used by remote staff.
- Make an inventory of all medical equipment and devices that connect to networks and data. Take into account any BYOD practices and physician devices that could interact with the organization's systems.
- Identify possible vulnerabilities and security gaps. These could be weak authentication policies, hacker-friendly interfaces, inconvenient authentication processes or other areas with the potential for trouble.
- Revisit perimeter protections, particularly in terms of offering a frictionless user experience for physicians and administrators. The smoother and simpler a process is, the more likely staff are to follow security and compliance procedures. Innovations are making this dream a more achievable reality.
In the world of healthcare technology, saving lives and making intelligent treatment decisions no longer relies only on medical expertise. IT expertise is also critical in keeping login credentials, ePHI and medical data safe and accessible. In the 21st century, stronger security is the baseline for excellent patient care – making security solutions a vital aspect of not only healthcare IT teams, but healthcare organization missions.