Recently, Premera Blue Cross, a health plan in the Pacific Northwest, was hit with thesecond-biggest cyberattack in healthcare industry history, exposing the personal, financial and medical information of more than 11 million customers. Only six weeks before, Anthem, the nation’s largest investor-owned healthcare organization, announced that it had been victim of a breach subjecting nearly 80 million records of customers to exposure.
Although these breaches are becoming more and more common in the healthcare industry, they’re nothing new. Before Premera and Anthem, there was the 2014 attack by Chinese hackers at Community Health Systems that exposed medical records of 4.5 million patients, according to a regulatory filing from Community Health Systems, a publicly traded company that runs 206 hospitals in 29 states. And before that was the theft of laptops resulting in the exposure of 840,000 Blue Cross/Blue Shield of New Jersey subscribers.
“Over 75% of all security incidences target five key industries–one of which is healthcare–and it’s quickly moving towards the top of the list with high profile breaches that have recently made the news,” said Tim Appleby, Security Sales Enablement Program Manager, IBM Security Systems. “We’re convinced that the healthcare industry should address the challenge of digital security in a long-term, strategic way, using a multi-layered approach to prevent the likelihood of an attack using intelligence and analytics around stored patient data, detect unusual patterns to catch intrusions before they get too far, and update incident response plans to quickly respond to and arrest the attack.”
No matter the threat–external, internal or from the simple misplacement of information—the threat of data breaches facing healthcare organizations is not a new thing and definitely not something that will go away anytime soon. So, how do healthcare organizations best protect themselves and, most of all, their patients?
Here are three ways hospitals can start rethinking their security strategy:
- Begin security risk assessment: Start by analyzing everything that’s done within the healthcare organization. Look at policies and procedures, and assess data at rest and how it’s being stored and how the systems are set up. Understanding the architecture of the infrastructure is important in order to see what has been set up properly and what hasn’t, and where there are security holes. Understand where the business is at today and what steps are needed to assess its security.
- Leverage encryption technology and security services: Patient healthcare information is necessary to make the most accurate diagnoses and provide the best treatment. It may be shared among insurance companies, pharmacies, researchers and employers, for many reasons, but obviously it should not be shared with others. As you adopt new health IT to enhance the quality and efficiency of care, it is equally important to reassess your health information security policies, including encrypting patient healthcare information, data and patient records. By encrypting information and leveraging security services, you can identify risks as well as protect electronic health information.
- Be prepared for assessments and audits: Regulations concerning the protection of patients’ medical records are issued by the U.S. Department of Health and Services in the HIPAA Rules. In order to comply with new HIPAA rules, healthcare organizations must show their assessments and policy and procedures.
With security being the top concern in healthcare today, make sure you are equipped with the most up-to-date information and technology by attending HIMSS15, the year’s largest and most important healthcare IT conference in the United States, April 12-16, in Chicago.
Join Avnet, alongside more than 38,000 healthcare IT professionals, clinicians, executives and vendors from around the world, in booth #5085 to learn more about how we work with our business partners to align industry-leading technologies with fast-changing healthcare and business demands to better engage consumers and improve core processes.
Date: March 27, 2015