The multichannel nature of healthcare today has made it susceptible to both physical and virtual forms of attack. While cybersecurity is increasingly becoming a major concern for healthcare entities, there are many areas of weaknesses that have yet to be taken care of. They include:
At the HIMSS19 conference, the Office for Civil Rights (OCR) revealed that email phishing attacks were the main source of electronic health information (EHI) record breaches in the US. In a study titled the Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions, Dr. William Gordon and his team discovered that of the 2.9 million simulated phishing emails sent to employees at six US hospitals, more than fourteen percent were clicked on by employees. All in all, approximately one in seven emails attracted a click. The researchers suggest that organizations begin to use spam filtering technologies; adopt multi-factor authentication, and raise security awareness via simulations and training.
Data encryption is one of the most common lines of defense against security breaches in most industries. However, a study conducted by the Ponemon Institute revealed that while the most significant increase in data encryption occurred in the healthcare and pharma industry over the past year, healthcare is still one of the least likely industries to encrypt its information. More specifically, the study showed that only about 50 percent of payment related data, HR data, intellectual property and financial records are encrypted globally. What is more surprising is that only 42 percent and 26 percent of customer and healthcare information are encrypted respectively.
Furthermore, some of the reasons why data encryption has proven to be a challenge include a lack of key management, skilled employees and fragmented systems. Data encryption requires organized key management systems, infrastructures and processes. Another area in which some healthcare entities are lacking is the ability to identify and classify sensitive data. To combat this, healthcare officials should establish guidelines that help organizations in determining information sensitivity and encryption needs.
According to the College of Healthcare Information Management Executives (CHIME), HIPAA compliance is not enough to prevent data breaches. In spite of this, there is a common misconception that as long as organizations are HIPAA compliant, they are safe. Legally, this may be true, but there remains the question of reputation and patient care. Complying with HIPAA is a minimum requirement and only means that organizations are not legally liable.
For this reason, it is important that healthcare providers ensure that worrying about compliance does not take the focus and resources away from other security requirements. It is also important that the Department of Health and Human Services provides more guidance for healthcare entities to help them eliminate threats and minimize risks.