pixel_dreams - Fotolia
Cybersecurity has been top of mind for healthcare organizations this year. According to Ponemon Institute LLC, the average cost of a healthcare data breach was $355 per lost or stolen record. Not only that, but 89% of HIPAA-covered entities and businesses surveyed by Ponemon suffered healthcare data breaches.
As cyberattacks continue to proliferate, the onus is on healthcare organizations to ensure their data is protected. During a Twitter chat hosted by the Office of the National Coordinator for Health Information Technology (ONC), health IT experts discussed what plans their organizations have in place to prevent a health data breach.
One organization said it does everything possible to avoid dealing with protected health information to limit the risk of a breach, and another said it uses advanced analytics to quickly detect HIPAA violations. The experts emphasized the importance of conducting regular cybersecurity awareness training, in addition to constantly monitoring patient data. Participants also answered what they believe is the No. 1 threat to health data security.
The discussion also briefly turned toward APIs and whether they reduce or increase the risk of a healthcare data breach. Chat participants said APIs should not increase the risk of a breach if they are leveraged properly. Experts also addressed risk and asset management, and why healthcare organizations need to know what devices are on their networks.
To finish off the conversation, ONC asked why it is important for healthcare organizations to share information about cybersecurity threats. Participants agreed cyberthreat information sharing can help organizations take a more proactive approach toward protecting patient data instead of waiting for a healthcare data breach to occur.
ONC hosted a Twitter chat about cybersecurity and health IT Thursday, October 27, 2016.It kicked off the conversation by asking participants what their organizations are doing to prevent a healthcare data breach.
Protenus, a Baltimore-based company that helps hospitals protect patient data, uses advanced analytics to detect HIPAA violations in real time.
Fred Trotter, a data journalist and CTO of CareSet Systems, a Medicare claims decoder, said his company does its best to limit contact with protected health information (PHI) since it is not a healthcare provider. ONC chief privacy officer Lucia Savage suggested that other organizations follow suit and limit their contact with PHI if possible.
We are not providers, so our needs to prevent breaches starts with doing everything we can not to work directly with PHI... #CyberAwareChat— fredtrotter (@fredtrotter) October 27, 2016
ONC then asked chat participants if their organizations had performed an annual security risk analysis (SRA). In collaboration with the Office for Civil Rights and the Office of the General Counsel, ONC offers a downloadable SRA tool that helps guide organizations through the process. Matt Rafalski, clinical IT director for Dayspring Family Health Center in Jellico, Tennessee, said his organization is currently working through the SRA tool.
Working though security risk tool now (do annually) , very helpful for small to medium practices. #CyberAwareChat— Matt Rafalski (@MattRafalski) October 27, 2016
The conversation shifted slightly when Stephen Konya, senior innovation strategist for ONC, asked chat participants what they believe is the number one threat to healthcare data security. Participants agreed that people and human behavior are the top threat to the security of healthcare data.
#CyberAwareChat - What do you consider the number one threat to security of healthcare data today?— Stephen Konya (@StephenKonya) October 27, 2016
In a word: people. -dk #CyberAwareChat— Cerner (@Cerner) October 27, 2016
Konya then asked if open APIs reduce or increase security risks. Cerner chief security officer Don Kleoppel said they should not increase security risks if they are used properly and only taken from verified sources.
The next question focused on cybersecurity awareness training. Participants said they provide formal and ad hoc training to employees in addition to monitoring their organization's cybersecurity.
We provide training tips monthly & encourage annual formal training. Training is best when methods are varied. #CyberAwareChat— HIPAA E-Tool (@HIPAAETool) October 27, 2016
For the final question, ONC asked participants why it's important to share information about cyberthreats. Participants said sharing cyberthreat information promotes awareness and helps organizations find solutions to protect patient data.
Chat participants also stressed the importance of risk and asset management. One problem that organizations struggle with is that they don't know how many connected devices are being used on the network, which makes it hard to ensure that data is being protected.
#cyberawarechat Do you think hospitals and healthcare providers know how many IoT connected medical devices they have on the network?— ZingBox (@ZingBoxSecurity) October 27, 2016
How to use analytics to prevent healthcare data breaches
How healthcare organizations can respond to a security breach
Tips for preventing or reducing healthcare cybersecurity attacks