More Americans trust the healthcare industry with their data than trust the government. But with a sharp rise in healthcare data breaches in 2016, there are steps that providers and the public should take to be safe.
Cybersecurity breaches are a growing issue in healthcare. As our contributor Lee Barrett reported earlier this year, a person’s healthcare record is 5 times more valuable on the black market because it contains much more information than someone’s credit card.
Healthcare, of course, isn’t the only part of the economy worried about cybersecurity. To call attention to the need for education and better security measures, the National Cyber Security Alliance (NCSA) celebrates Data Privacy Day each year on January 28.
To highlight Data Privacy Day, The American Journal of Managed Care® (AJMC®) spoke with Dan Konzen, campus chair for the College of Information Systems and Technology at the University of Phoenix. Konzen's center just conducted a poll that found 52% of Americans feel less secure today about their information than they did 5 years ago, and 47% have experienced a breach. When it comes to healthcare cybersecurity, here are 5 things to know:
1. Cybersecurity breaches are increasing each year
Konzen said the number of attacks is increasing, but, fortunately, “As the number of exposures occurs in and out of healthcare, people are more aware.” The best measure of the growing cybersecurity problem can be found on the HHS reporting site, where breaches that affect more than 500 people must be recorded under the HITECH (Health Information Technology for Economic and Clinical Health) Act. Last year saw 316 reportable breaches, which is 17.4% of the total since reporting began in 2009.
2. Training is essential to avoid breaches
Konzen said the best hardware and software won’t prevent an attack if staff are not taught what to look for—especially when using e-mail. But there are other ways security is breached, such as leaving charts where other can see them, or using a sign-in system that leaves patient signatures visible. For patients, Konzen said, these are things to look for to gauge whether your provider has good cybersecurity practices.
3. Cybersecurity is not a “do it yourself” task
For most healthcare providers and systems, Konzen said cybersecurity “is not their wheelhouse.” Most use a third party for their electronic health records (EHR) or for other security training and services. Konzen said a key step after staff training is to have a third party “test” the system to see if employees know what to do when they get a suspicious e-mail. Most breaches, he said, happen due to errors by health system employees, not a breach of the third-party vendor. That said, Konzen recommends a thorough vetting of EHR or other security vendors before health systems sign a contract. Barrett, who is executive director of the Electronic Healthcare Network Accreditation Commission, reports that underwriters are increasingly looking for third-party accreditation.
4. Have a response plan
As Barrett noted recently, the sharp rise in breaches in 2016 means that more and more providers have been affected by them, and he notes that 80% of breaches are discovered by outside groups or audits. Konzen said healthcare providers and health systems must have a response plan in place. Some notification requirements are spelled out by law, but others—both technical steps and efforts to restore public confidence—are not. Right now, the University of Phoenix poll finds 70% of Americans trust the healthcare industry with their data, compared with 41% who trust the government.
5. Join AJMC® to learn more about cybersecurity
The May 4-5, 2017, meeting of the ACO & Emerging Healthcare Delivery Coalition, taking place in Scottsdale, Arizona, will feature a session on cybersecurity issues in healthcare. To learn more about the meeting and to register, visit the ACO Coalition website here. To learn more about the NCSA and Data Privacy day, visit here.