Cybersecurity is an ever-increasing reality that every industry is grappling with (banking, business, education, government, and healthcare). In addition, the cyberattacks are getting much more sophisticated and causing more damage than previously. In 2014 healthcare was at the top of the Breach List with 42.5%, while other industries ranged between 5.5% to 33%. In the 2015 Breach study, which was just released this week, business has taken over the top spot with 40.1% of the breaches, while healthcare has dropped to second place at 35.2%. The other industries (education, government/military, and banking/credit/financial) range from 7.6% to 9.2%. While healthcare’s percentage of breaches has dropped, the number of records involved (121,603,514) far exceeds the other industries, which range from 759,600 to 34,220,850 records. Just the 10 largest breaches alone involved 110 million people (1/3 of the U.S. population)!
The cost to handle cyberattacks and security breaches in 2015 is also staggering - $37 billion! That is more than the $30 billion spent to digitalize medical records since the HITECH Act was passed in 2009. Cybersecurity is a critical issue that needs everyone’s attention. For more detailed information on the impact and reasons for the large number of healthcare cybersecurity breaches refer to last month’s article, Cybersecurity for Case Managers: Background and Impact.
What can be done to counteract this disturbing trend? At a national level, the National Institute of Standards and Technology, part of the Department of Commerce, is working on updating the "Framework for Improving Critical Infrastructure Cybersecurity" to make the nation’s critical infrastructure more secure. Each industry, organization, and information technology department is also working tirelessly to improve their infrastructure and security procedures. Smaller organizations are using the "Small Business Cybersecurity Guide" to develop best practices that will keep them, and their patients’ information, safe. But what are YOU doing to reduce the risk of cybersecurity? Many of you may be saying, "What can I do? I’m only one individual. Security is the responsibility of my IT department or organization". WRONG!
A system or network is only as good as the weakest link. The IT department can have the strongest security measures in place, but unfortunately system users are usually the weakest link. According to Experian Data Breach Resolutions, 80% of the incidents occur due to employee negligence. IBM research puts that figure even higher, showing human error accounts for 95% of all security incidents. These can include IT errors or omissions, loss of laptops, providing PHI to an unauthorized individual, etc.
All of us are responsible for a myriad of actions that can impact the security of our organizations. Specific cybersecurity practices must be in place and followed by all staff members to provide the minimum level of protection to mitigate threats and vulnerabilities for a system or network.
Let’s take a look at the Top 3 Security Threats to the Healthcare Industry and specific responsibilities that you have control over.
Theft and Loss (46% of security incidents) – laptops and mobile devices
-Make sure they are out of sight in your locked car or better yet, put them in your locked trunk.
-If you need to use mobile devices, refer to the "Mobile Device Security" practice brief for information on legal and regulatory requirements and best practices.
-Ensure that all laptops and mobile devices are encrypted. That way, if they are lost or stolen, the incident is not considered a breach, since the data is secure. This is a critical factor in securing the data and reducing the number of breach occurrences.
-Provide carrying cases (that do not look like computer cases), locking cables, alarm systems, tracking devices and remote-erase capabilities.
Insider misuse (15% of security issues) – intentional or unintentional actions that damage a system or lose data
-Hint: A password is stronger and harder to break, if you use the first letter of each word in a phrase or sentence that means something to you, rather than just a word. Capitalize letters in the middle of the phrase, not the first word, as in a sentence. For example, "When I was 10 I lived on Lakeside in Columbus" becomes "wiw10iloLiC". Use the symbol "!" for the "I" and it becomes "w!w10!loLiC". It looks hard to remember, but it really isn’t.
-Hint: When changing the password, in the above example you could simply change the age to 11 or change the name of the street or city each time. Having a planned process for changing passwords makes it less stressful and easier to remember your password.
-Use an electronic vault that keeps track of passwords or develop your own system for remembering them.
-Do not share passwords or write them down on sticky notes on the computer.
-Do not use anyone else’s password.
-Request single sign-on authentication that makes it easier for staff to logon, because they only have to remember one password instead of one for each application.
Unintentional actions (12% of security incidents) – actions that directly compromise patient information
-Don’t leave records/files or appointment calendars on a desk where others may see.
-Position computer screens so they are not visible to others.
-Set up a screen saver that activates if the computer is not used within 5-10 minutes.
-Use an automated process that logs you out of your computer if not used in "x" minutes, as required by your organization.
-Verify the individual or organization is authorized before sharing any PHI or data.
-Do not discuss a case where others may hear you, e.g. in an elevator or hallway.
-Shred paper files containing PHI or sensitive data
-Use electronic shredder tools to delete electronic files. Simply deleting files is not adequate, as it still leaves information on the computer.
-Do not put PHI on your laptop or mobile devices, if possible. If required, request that they be encrypted.
-Schedule routine security training sessions. Provide information that is pertinent to them and their role, so they will be more engaged in the training and more likely to follow the policies and procedures. A well-educated staff is the best line of defense.
-Monitor the staff’s use of PHI (who is viewing and why).
-Do not give access to temporary employees or vendors until you verify they have signed business agreements.
-Develop standard policies and procedures describing how to de-identify PHI from records used for analytics, research, or sharing with vendors to resolve bugs. Monitor staff to assure they are aware of and following these procedures.
-Immediately inactivate all passwords for employees who have terminated. Breaches have occurred from ex-employees accessing records after they left the organization.
-Assure that all data is totally removed from computers that are being de-commissioned or re-assigned to another employee.-Request encryption for all laptops and mobile devices that contain PHI. This is a critical requirement.
-Request that mobile devices be set up with a "purge" process that does not store data when the mobile access session is closed.-Develop a new numbering system as soon as possible, if the patient ID contains a social security number.
Have I convinced you yet that security is not just an IT function? Sure, IT does everything it can at a corporate level to develop a secure infrastructure and implement security safeguards that support the business objectives. However, I hope the long list of items above, that you have control over, has convinced you that you are also responsible and accountable for cybersecurity. This realization, that all employees are "stewards of security", empowered and accountable for security, helps create a culture that is essential in raising awareness and reducing security incidents.
Privacy and security experts say the new question in healthcare isn't if an organization will be breached but rather when. In addition, statistics show that system users are responsible in some way for 80-95% of the security incidents. So make sure you are not the one responsible for a breach. Be diligent in following security policies, procedures, and best practices and become a good steward of security.
We’ve looked at a lot of practical items that you can do to follow security policies, procedures, and best practices, but, believe it or not, we are not finished yet. Next month we will discuss ways you can help reduce the potential for incidents related to phishing, the use of electronic medical devices, and the "internet of things" (that should be fun!).
Have a wonderful Holiday Season!