Organizations discuss cybersecurity, healthcare data breach prevention

Cybersecurity has been top of mind for healthcare organizations this year. According to Ponemon Institute LLC, the average cost of a healthcare data breach was $355 per lost or stolen record. Not only that, but 89% of HIPAA-covered entities and businesses surveyed by Ponemon suffered healthcare data breaches.

As cyberattacks continue to proliferate, the onus is on healthcare organizations to ensure their data is protected. During a Twitter chat hosted by the Office of the National Coordinator for Health Information Technology (ONC), health IT experts discussed what plans their organizations have in place to prevent a health data breach.

One organization said it does everything possible to avoid dealing with protected health information to limit the risk of a breach, and another said it uses advanced analytics to quickly detect HIPAA violations. The experts emphasized the importance of conducting regular cybersecurity awareness training, in addition to constantly monitoring patient data. Participants also answered what they believe is the No. 1 threat to health data security.

The discussion also briefly turned toward APIs and whether they reduce or increase the risk of a healthcare data breach. Chat participants said APIs should not increase the risk of a breach if they are leveraged properly. Experts also addressed risk and asset management, and why healthcare organizations need to know what devices are on their networks.

To finish off the conversation, ONC asked why it is important for healthcare organizations to share information about cybersecurity threats. Participants agreed cyberthreat information sharing can help organizations take a more proactive approach toward protecting patient data instead of waiting for a healthcare data breach to occur.

ONC hosted a Twitter chat about cybersecurity and health IT Thursday, October 27, 2016.It  kicked off the conversation by asking participants what their organizations are doing to prevent a healthcare data breach.

Today's #CyberAwareChat is focusing on #cybersecurity and #healthIT. @SavageLucia and her team are here answering questions.

— ONC (@ONC_HealthIT) October 27, 2016

T1: We want to know - what is your org doing to prevent #healthdata breaches? #CyberAwareChat #HealthIT

— ONC (@ONC_HealthIT) October 27, 2016

Protenus, a Baltimore-based company that helps hospitals protect patient data, uses advanced analytics to detect HIPAA violations in real time.

We use advances in #MachineLearning & #BigDataAnalytics to quickly & accurately detect #HIPAA violations #CyberAwareChat

— Protenus (@Protenus) October 27, 2016

Fred Trotter, a data journalist and CTO of CareSet Systems, a Medicare claims decoder, said his company does its best to limit contact with protected health information (PHI) since it is not a healthcare provider. ONC chief privacy officer Lucia Savage suggested that other organizations follow suit and limit their contact with PHI if possible.

We are not providers, so our needs to prevent breaches starts with doing everything we can not to work directly with PHI... #CyberAwareChat

— fredtrotter (@fredtrotter) October 27, 2016

Exactly so. If you don't need to access or use actual #PHI, then avoiding it is a good first step. #CyberAwareChat https://t.co/da1qKk4bDt

— Lucia Savage (@SavageLucia) October 27, 2016

ONC then asked chat participants if their organizations had performed an annual security risk analysis (SRA). In collaboration with the Office for Civil Rights and the Office of the General Counsel, ONC offers a downloadable SRA tool that helps guide organizations through the process. Matt Rafalski, clinical IT director for Dayspring Family Health Center in Jellico, Tennessee, said his organization is currently working through the SRA tool.

T2: Has your org done its annual #securityriskanalysis? Our SRA Tool can help. https://t.co/iC6GhFAmFy #CyberAwareChat @SavageLucia

— ONC (@ONC_HealthIT) October 27, 2016

Working though security risk tool now (do annually) , very helpful for small to medium practices. #CyberAwareChat

— Matt Rafalski (@MattRafalski) October 27, 2016

The conversation shifted slightly when Stephen Konya, senior innovation strategist for ONC, asked chat participants what they believe is the number one threat to healthcare data security. Participants agreed that people and human behavior are the top threat to the security of healthcare data.

#CyberAwareChat - What do you consider the number one threat to security of healthcare data today?

— Stephen Konya (@StephenKonya) October 27, 2016

In a word: people. -dk #CyberAwareChat

— Cerner (@Cerner) October 27, 2016

Human behavior #CyberAwareChat #Technoloyg supplies great compensating controls, but it starts with us. #Security is a shared responsibilty https://t.co/VB0JyNUC6p

— Lucia Savage (@SavageLucia) October 27, 2016

#workforce - is training appropriate and consistent? #CyberAwareChat

— HIPAA E-Tool (@HIPAAETool) October 27, 2016

Konya then asked if open APIs reduce or increase security risks. Cerner chief security officer Don Kleoppel said they should not increase security risks if they are used properly and only taken from verified sources.

#CyberAwareChat - What about properly leveraging #OpenAPIs? Do you think it adds security risk or reduces it? @ONC_HealthIT

— Stephen Konya (@StephenKonya) October 27, 2016

If they're properly leveraged, no additional risk. Use APIs from verified sources. - dk #CyberAwareChat https://t.co/EXhimdimgs

— Cerner (@Cerner) October 27, 2016

Best source is the experts who gave their time for our API Task Force on #privacy and #security: https://t.co/48KRGHjdVx #cyberAwareChat https://t.co/pW5AaeCX3K

— Lucia Savage (@SavageLucia) October 27, 2016

The next question focused on cybersecurity awareness training. Participants said they provide formal and ad hoc training to employees in addition to monitoring their organization's cybersecurity.

T3: Is your organization conducting Cybersecurity Awareness training on an annual basis? #CyberAwareChat #HealthIT

— ONC (@ONC_HealthIT) October 27, 2016

@ONC_HealthIT We review resolution agreements and CAPS with our clients regularly for lessons learned to move performance. #CyberAwareChat

— Immersive (@ImmersiveLLC) October 27, 2016

We provide training tips monthly & encourage annual formal training. Training is best when methods are varied. #CyberAwareChat

— HIPAA E-Tool (@HIPAAETool) October 27, 2016

.@ONC_HealthIT A3: Annual and ad hoc training, plus 24x7 surveillance. -dk #CyberAwareChat

— Cerner (@Cerner) October 27, 2016

A3. Training must be continuous! The idea of 1X per year=floor. #huddles #elearning #trainthetrainer combined #CyberAwareChat

— Immersive (@ImmersiveLLC) October 27, 2016

.@ImmersiveLLC Agreed! Ongoing training is great. Training should be relevant to user's daily activities and workflows. #CyberAwareChat

— ONC (@ONC_HealthIT) October 27, 2016

For the final question, ONC asked participants why it's important to share information about cyberthreats. Participants said sharing cyberthreat information promotes awareness and helps organizations find solutions to protect patient data.

T4: Why are sharing cyber threats important? #cybersecurity #CyberAwareChat

— ONC (@ONC_HealthIT) October 27, 2016

Proactive over reactive: We work closely with our local branch of @FBI to share information that helps both parties. – dk #CyberAwareChat

— Cerner (@Cerner) October 27, 2016

More info on threats to #patientdata means that we can develop targeted and powerful solutions to protect it #CyberAwareChat

— Protenus (@Protenus) October 27, 2016

A4: More we know about threats and vulnerabilities, more we can collectively meet #cybersecurity challenges head on. #cyberawarechat

— HQI (@HQInnovators) October 27, 2016

Chat participants also stressed the importance of risk and asset management. One problem that organizations struggle with is that they don't know how many connected devices are being used on the network, which makes it hard to ensure that data is being protected.

#cyberawarechat Do you think hospitals and healthcare providers know how many IoT connected medical devices they have on the network?

— ZingBox (@ZingBoxSecurity) October 27, 2016

.@ZingBoxSecurity No, and that's why asset management & configuration database are critical. -dk #CyberAwareChat

— Cerner (@Cerner) October 27, 2016

Yes, knowing what is running on your system is a 1st step, and an important part of #security #riskmanagement @ONC_HealthIT #CyberAwareChat https://t.co/CtCZ8HWnaV

— Lucia Savage (@SavageLucia) October 27, 2016