Cyber Safety is Patient Safety

Cyber Safety is Patient Safety is the mantra this year during Patient Safety Awareness Week March 13 to 19, 2022. This special week was established to raise awareness of the importance of securing patient data among healthcare providers and other healthcare organizations and their employees. It also reinforces the fact that the safety of your patients—the security and privacy of their data—depends on good security practices in your office.

The U.S. Department of Health and Human Services has created a program titled HHS 405(d) to bring cybersecurity awareness to the top of mind in the healthcare sector. They’ve posted lots of content and materials for use by healthcare professionals, and this blog is based on their complimentary content. Please continue reading to learn more about keeping your patient data safe and secure.  

Securing Patient Data is Good for Your Patients (And for You)

Effective cybersecurity depends on every employee being vigilant and maintaining a secure environment that protects your patients’ PHI and PII. Healthcare organizations increasingly transmit data electronically, through mobile devices, cloud-based applications, medical devices, and technology systems. Hackers are constantly probing to breach our security defenses so it’s important to secure these tools. Every employee needs to understand the threats, the risks, the actions they should take in securing patient data.

Reason 1 - Cybersecurity lowers your risk. Healthcare professionals know how vitally important hand-washing is in reducing the spread of disease. And just like washing your hands can reduce germs in your office, good cybersecurity practices can reduce security vulnerabilities, which in turn helps reduce your risk. By helping to reduce the risk of cyber-attacks and data breaches, good cybersecurity practices keep patient data more secure.

Reason 2 - Cybersecurity can save you money. HIPAA compliance is not optional, and the Security Rule is very specific as to the actions you must take to protect patient data. Dozens of healthcare organizations are fined every year by the Department of Health and Human Services Office for Civil Rights, which is authorized to fine violators up to $1.5 million per year until violations are resolved. In 2020, the average cost of a healthcare data breach was $7.13 million, with fines representing a portion of that cost. Other costs include data breach detection and response activities, legal fees, victim notification, lost revenue, and public relations damage control.

Reason 3 - Cyber-attacks reduce your effectiveness. The results of poor security can affect your ability to provide quality patient care and life-saving techniques. They can also impact your ability to share patient data electronically with other healthcare entities. This happens when cyber criminals attack your networks, computer systems, and databases. Today, patient wellness includes protecting your technology and infrastructure in order to secure patient data. It also includes training employees to be cyber smart.

Reason 4 - Cyber threats are more complicated. The increased complexity of cyberattacks demands that solid security tools and best security practices be implemented to keep your organization and patients safe. Ransomware and other common attacks rely heavily on social engineering techniques to gain access to patient data. In addition to deploying robust cybersecurity practices throughout the organization, you need to develop thorough security policies and procedures with complete documentation, and actively train all employees to recognize and repel cyber threats.

Help Your Employees Understand Cybersecurity

The HHS 405(d) Program offers guidance to help your organization ensure that all employees understand the important part they play in securing patient data. There are many avenues and tools you can use, including employee training sessions, meetings, email messaging, posters, webinars, and more. Following are five important messages for your employees.  

1. Make sure every employee knows their role. Every healthcare employee, regardless of title, has a role in cybersecurity. Encourage them to think about what they have access to on the job. Is it PHI or ePHI, or patient personal information? Or do they have access to smart medical devices that capture and store data? In these and other cases, your employees are an important layer of defense between patients and cybercriminals. Train them to recognize cybercrimes in the making, such as email phishing.

Fact: More than half of all healthcare organizations have at least 1,000 files that are open to every employee. Not every employee needs access to those files to do their job, but too often access permissions are not changed when employee roles change. This is contrary to basic security best practices in any industry—not just healthcare.

2. Instruct employees on how to report problems. Make sure that every employee, including management, understands how to report phishing emails, phishing phone calls, and other social engineering attempts. Teach them your organization’s reporting policies for lost or stolen equipment, departing employees, suspected internal negligence, and cyber incidents. And remind them periodically.

Fact: Over three-quarters (79%) of healthcare organizations have 1,000 or more “ghost” users still enabled. Typically, these are former employees whose access credentials remain active because they were never removed from the user directory. Again, this is contrary to basic security in any industry—not just healthcare.

3. Ensure data encryption and other security procedures are followed. Patient data is not only valuable to your organization, but it is also a highly attractive target for hackers who can exploit that data for profit on the dark web. Train employees in your procedures for storing, encrypting, and transmitting patient data. Impress upon them the importance of adhering to those procedures as if their patients’ security is at stake—because it is. And also set a good security policy for user access credentials. Require that passwords be unique and strong and that they be changed every three to six months.

Fact: Two-thirds of healthcare organizations admit to having at least 500 accounts with passwords that never expire. Once again, this is contrary to basic security policy in all industries, including healthcare. According to Statista, 12% of data breaches result from stolen access credentials.

4. Keep device software updated. In addition to new features or functions, software updates almost always include improved security. It’s also common for software suppliers to create special security protections in response to trending threats. Be sure that all employee computer equipment, smart medical equipment, and other smart devices are kept up-to-date. Make it an IT priority to install new updates immediately. Small practices without IT support should train employees to update the software when new versions are available.
5. Make sure equipment is kept safe. Smart equipment and devices also require physical security protections because they contain patient data. If a laptop computer is lost or stolen, for example, the data it contains is lost or stolen as well. Make sure that all due security protections are in place for every device. And train employees to keep them safe from theft or loss, especially if they are permitted to take the equipment home. Smart devices should never be left in vehicles, even if they are locked.

Securing patient data in your office or organization is not just a security best practice—it is a requirement of HIPAA compliance, and the HIPAA Security Rule specifically. The human element is perhaps the most important component of robust cybersecurity, and yet is the weakest link in the security chain. However, healthcare providers can turn that weak link into a solid line of defense by training their employees, retaining them, and reminding them.