Raising Cyber Security Awareness for Healthcare Professionals

A large percentage of the reported breaches can be traced back to human error. Physical security controls break down because a door is left open. Technical controls break down because a user ID or password is posted via a sticky note on a computer monitor or because account credentials are shared and the task at hand absolutely positively need to be done right now.

Professionals working in the healthcare industry possess a zeal for protecting the health of their patients and improving how that support is provided. No legitimate employee wants to intentionally do something to adversely impact the health of a patient.

Health IT is about promoting the use of IT to support the healthcare mission. Health IT is all about providing high-quality care more efficiently, faster and cost effectively by using software and hardware technologies that have transformed countless other industries. However, these technologies cannot be deployed without considering the potential new cyber risks introduced to an organization.

An obvious manifestation of healthcare IT is the continuing transition from paper-based records to digital health records. But it does not end there, as wireless technologies have enabled medical devices to become extended diagnostic and reporting nodes on an increasingly networked IT infrastructure that shares patient medical records, billing records, financial records and burgeoning software applications—all accessing databases housed in common server structures.

How can this extended enterprise be protected? One approach can be extracted from the "Stop. Think. Connect" campaign administered by the U.S. Department of Homeland Security (DHS). The intent is not to make everyone a cyber security expert or to unduly raise fear, uncertainty and doubt—the intent is to bring some sense of awareness of cyber security to the general population. The goal of this campaign is to make someone think—even for half a second—before they take action online.

Do you have a secure connection to the server where you are about to input your credit card information? Are you authorized to access the data records you are about to request? Should you post personal information online for anyone to see? Simply hesitating to consider your actions before blindly clicking on that link can help prevent obvious human errors from occurring.

The board of directors of a healthcare organization has a myriad of concerns—providing sound patient care, maintaining financial viability and leveraging IT to enhance their operations. Just like healthcare professionals run their departments, the IT infrastructure should utilize cyber security experts cognizant of the constantly evolving threats and mitigating the resultant risks to the organization. As there is never enough budget or staff to throw at a non- mission essential, yet critical, area such as cyber security—how can the board cope?

Raise the cyber security awareness of the overall organization with role-appropriate cognizance of the consequences of individual actions and how easily one click on an inappropriate link can compromise an entire network—ultimately leading to the compromise of personal health records.

What is one effective way to overcome this challenge? Establish a cyber security awareness program.

Creating and operating a cyber security awareness program to have individuals realize that they play key roles in protecting the digital health of patients—just as they play direct roles in protecting the physical health of patients. 

What will it take to prioritize security in HealthCare?

With security breaches dominating news headlines daily, those responsible for securing our systems, networks, and devices are struggling to keep pace with the evolving threat landscape. Perhaps some of the most concerning potential breach data comes from the healthcare industry where we entrust our most personal information—social security number, birth date, medical history—as well as our immediate family members’ sensitive information to medical care providers. Further, medical devices rely on secure IT networks to function properly and deliver continuous, critical care to patients with heart conditions, diabetes, and other ailments. In the event of a security breach, the malfunction of devices could have potentially life-threatening consequences.

So what can we do to create a more secure environment for protected health information and equip healthcare IT staff with the security skills they need to fulfill this task?

First, we must start with a level of awareness. Calling attention to the alarming number of data breaches in today’s healthcare industry certainly helps the cause. According to Redspin’s Breach Report 2013 – Protected Health Information (PHI), the number of PHI breaches were up 138 percent from 2012, with 199 incidents reported to the U.S. Department of Health and Human Services (HHS), impacting over 7 million patient records. HHS even has a “wall of shame” webpage for the world to see lists of U.S. healthcare organizations that have had a security breach of protected health information affecting more than 500 individuals.

Part of the problem with security awareness lies in current processes, which don’t take into account how to mitigate fraud or medical identity theft.  If a patient’s healthcare record is compromised by someone who stole the identity to receive care and consequently had false information entered into that patient’s electronic health record, there’s no process in place that allows medical providers to go in and fix the record because it’s considered a legal document. Right now, we’re still at the awareness level for security and what has to be done is to help hospitals and other healthcare organizations recognize when an instance of medical identity theft has occurred so they can improve processes to protect patients.

Medical records are more susceptible to identity theft because the online systems for medical records and the networks on which they operate are not as locked down and sophisticated as other industries. We must also realize that healthcare is one of the last industries to move data from paper to online systems. Many physicians still use paper records for their patients. And others are only beginning the process of transitioning patient records to digital systems.

When it comes to educating healthcare IT staff, they need the resources, experience, and continuous drive to ensure they possess the latest knowledge and skills required to secure protected health information.  Many stressed the lack of security even at the basic awareness level in their organizations.

Let’s face it, making security a priority for the healthcare industry won’t happen overnight. It will require a concerted effort that begins with security awareness, followed by education and training of healthcare IT staff, and finally adoption and acceptance from the healthcare industry to create a secure digital environment for protected health information.