Healthcare Risk Insights: Protecting Patient Data by Preventing Cyber Attacks

Aerial view of doctor stethoscope and computer laptop

The threat of a data breach in a healthcare facility is daunting. Privacy is the foundation of hospitals’ information systems, and compliance with the Health Insurance Portability and Accountability Act (HIPAA) — along with the facility’s reputation — will be jeopardized if just one patient’s information falls into the wrong hands. Healthcare facilities are particular targets for two reasons:

  • Type of Data Stored. Healthcare facilities may keep a patient’s social security number, insurance and financial data, birth date, name, billing address and phone number, making them a valuable target for a cyber attack.

  • Many Potential Vulnerabilities. Healthcare facilities are obligated to provide access to several external networks and web applications in order to stay connected with patients, employees, insurers or business partners. The volume of data shared represents a serious risk.

It is much less costly, both from a financial and reputational point-of-view, to prevent a cyber breach than to notify individuals and the Department of Health and Human Services of a breach as required by the Health Information Technology for Economic and Clinical Health Act (HITECH). As a result, administration must respond by preventing, detecting and responding to cyber attacks or misuse of patient records through a well-orchestrated cybersecurity program.

What are the risks?

The first steps in protecting your business is to recognize the parts of your processes that are prone to cyber attack.

Applications and Systems. External applications and systems are ripe for improper access to sensitive patient data. Since administrators do not have complete control over the security of external applications, facilities should perform web application security testing on a regular basis.

Software Flaws. Weaknesses in software and computer systems attract hackers and intruders. The results of this cyber risk can range from minimal mischief-such as creating a virus with no negative impact-to malicious activity-stealing or altering information. Intrusion prevention and detection systems can alert you of cyber attacks and allow you to respond in real time.

Malicious Code (Viruses, Worms & Trojan Horses). There are various types of malicious code that can put your organization at risk:

  • Viruses. This type of code requires the user take action before it can infect your system, such as opening an email attachment or going to a particular webpage.

  • Worms. This code propagates systems without user intervention. They typically begin by exploiting a software flaw or weakness. Once the victim’s computer is infected, the worm will attempt to find and infect other computers.

  • Trojan Horses. This code is software that claims to be one thing while it is acting differently behind the scenes (for example, a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder).

Email Lacking Encryption. HIPAA guidelines require email communications with physicians’ offices and hospitals be encrypted to protect patient information. Since most communication is now electronic, monitoring these means is especially important. When selecting an email provider, be sure to verify HIPAA compliance.

Insider Attack. Current or former employees ranging from billing clerks to clinicians should understand the consequences for consulting patient records without valid cause. Often employees are simply curious, but implementing processes, such as implementing log monitoring of employee records access can help in effectively preventing this type of risk.

Physical Loss of Information. Another potential risk is the loss of electronics which contain personal information related to patients and employees.

In the event any of these risks were to occur, HITECH calls for notification of the individuals concerned and Health and Human Services (HHS) in a short time span.

Risk Management

In the case of a surprise HHS or HIPAA inspection, facilities must prove they are compliant with all regulations related to HIPAA and HITECH.

Consider the following when implementing risk management strategies:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed and the importance to the facility.

  • Perform security risk assessments at least on an annual basis and update it whenever there are significant changes to your information systems or the facilities where systems are stored, or when there are other changes that may impact the vulnerability of the organization.

If you have questions on developing your risk management plan or strategies to decrease your cyber risk, contact us today!