The Threat

Electronic health records are rich with personal information about patients such as social security numbers, banking information, addresses, relatives’ names, patient’s age, medications, medical visits, and diagnoses. For these reasons, hackers have focused on stealing medical records, looking for the amount and type of data stored while taking note of the security measures in place. An alarming 41,335,889 patient records were leaked during breaches in 2019 alone. Healthcare industry security measures appear to be dated and certainly ineffective in these cases. Even more concerning, hackers can encrypt an organization’s medical records and hold them for ransom, promising to unlock them only after a fee is paid. 

A healthcare cybersecurity task force considers the “healthcare industry cybersecurity issues are, at [the] heart [of] patient safety issues.” In the first five months of 2022, the US Government data reports healthcare breaches doubled those reported in the same period in 2021, with 66% of surveyed healthcare organizations reporting ransomware attacks. Of those, 61% reportedly paid the ransom to retrieve necessary encrypted data. Healthcare ransomware and online hostage scenarios increased by 350% in the last three months of 2019 and hackers hit 90% of hospitals with email-based cyber-attacks resulting in dangerous and costly downtime. Hospitals are not the only target. Staff mobile devices are also experiencing cyber-attacks and ransomware. 

Prevention 

With patients and staff looking to leaders for solutions and safety, data security has become one of the major issues in an effective organizational strategy. While supporting up-to-date, relevant data security measures through staff and patient training, there are other cost-effective measures leaders may want to consider to protect their team and their patients. 

Healthcare executives and board members can no longer assume their IT department can keep their data secure without their fiduciary oversight. One of the first suggested steps to take is educating themselves on data safety threats, the costs involved, and the maintenance of the necessary technology. Educational programs for staff and patients have the potential to increase safety measures by preventing routes into vulnerable systems. 

While changing passwords frequently is often encouraged for patients and their portal access, it may not solve every inroad to a company’s IT systems. Leaders must keep cyber security software up to date, including patient portals. New, upcoming automated signup processes may discourage unauthorized access to patient portals and other routes to an organization’s data, as will two-step verification systems, maintaining/updating malware and anti-virus software, promoting interoperability software for doctor-to-doctor communications, using artificial intelligence to ensure patient identification during the portal setup phase, educating staff on threat and warning signs such as suspicious emails and texts, maintaining device safety standards so staff cannot connect personal devices internally and when accessing data systems remotely, among other cybersecurity measures available to the industry. With options and upgrades new and changing daily, leaders have the daunting task of staying ahead of the ever-changing world of data security. Healthcare could also benefit from taking note of other industries for new best practices and policies. 

Areas of focus leaders may want to include in their review:

• Access to highly sensitive information should be on a strict need-to-know basis. This may require team coordination to decide where those access lines should be drawn to make them most effective.

• An organization’s risk level should be evaluated regularly.  One organization’s exposure will not be the same as another’s. 

• Prepare for potential attacks and create a plan with a solid recovery strategy including, but not limited to backup storage retrieval and ransomware policies.

• Control access to internal systems by external vendors. Vendor support for data systems is necessary but vendors may be the weakest link in the security chain. Vendors’ data security policies and procedures must be as comprehensive as the health systems they support, 

• Threat paranoia - consider everything a potential threat, whether it is internal or external to the company’s system. A Zero-trust policy can plan for the natural risk created by open structures, remote work, and portals.

While cyber threats are a real and present concern for healthcare leadership, careful planning, education, and strategy may provide a relevant plan for protection as well as recovery. In today’s environment, no leader can afford not to be apprised of their data’s exposure, risk, or current protection measures. It takes a team to keep digital records and systems safe.