Healthcare organizations are dealing with an epidemic of threats to the security of electronic health records (EHR). From breaches to ransomware to employee data violations, securing healthcare data while meeting data privacy compliance demands is under a heightened threat level.
Rise of the healthcare epidemic
There’s a perfect storm of events that are causing an increase in cybercrime: national laws and policies have encouraged healthcare organizations to move to EHR (98 percent of hospitals in US); available technology to ease the transition to EHR; and high value for EHR on the black market (FBI Cyber Division Private Industry Notification #140408-009, 8 Apr. 2014, puts the value at $50 for each partial EHR).
In addition, there is increased pressure to innovate to stay competitive by delivering differentiated services. Healthcare organizations are now leveraging technology and information systems to reduce costs, improve the quality of care and make it easier for patients to be proactive in their own healthcare. This has revealed new capabilities for healthcare staff to do their jobs more efficiently, but with every technology advancements comes the challenge of ensuring that technology is easy to use, reliable and secure.
While cyber criminals are a growing threat as seen by the recent ransomware debacles, it can’t be the only area of focus to protect EHR. In the recent 2016 State of Data Security and Compliance Report published by Ipswitch, Inc, more than 500 IT professionals (91 in healthcare organizations) from around the world were surveyed about their data security policies. Those in healthcare organizations that identified as having experienced a significant data loss noted that only 20 percent was due to malicious activities, while 45 percent was due to human error and 35 percent due to process or network failure. Interestingly, in that same report only 34 percent in healthcare reported their organization as very efficient in identifying risks and 42 percent as very efficient in mitigating risks.
No silver bullet to protect EHRs
There’s general agreement in the IT community that given the complexity of modern healthcare technology there is no silver bullet for EHR data protection. Employee behavior is a critical risk, including loss of personal devices without adequate access control or EHR data encryption, and their unknowing participation in social-engineering exploits. And while more than 80 percent of hospitals in the U.S. have electronic medical records (EMR) systems (4567 of 5627) that offer protection of EHR, there’s continued need to securely send and receive EHR to externally. EHR is increasingly vulnerable when in-motion outside of protected healthcare infrastructure.
HIPAA/HITECH identifies IT controls to protect data including encryption, network perimeter defense, effective access control and employee training, and yet data loss is a growing trend. A deputy CISO from a large healthcare organization at the recent Secure World Conference in Boston said that his primary focus is no longer on HIPAA compliance. It’s just a given that any new technology they consider must comply. He’s now more interested when talking with technology vendors about their capabilities to help identify and mitigate risks.
To learn more, join the upcoming HIMSS Media webinar, Combatting the Epidemic of Healthcare Data Threats with John Houston, VP Information Security & Privacy, UPMC (University of Pennsylvania Medical Center). During the webinar, you’ll learn:
- What are the essential IT controls to protect healthcare data-in-motion?
- What are tips and tricks to cost-effectively pass your next audit?
- What are practical strategies including automation to cost-effectively reduce data loss?
- Which file transfer and sharing technologies help or hurt your data protection?
For additional resources to learn how you can protect your EHR data-in-motion visit
