Why is Healthcare Data Security Important?
Data security breaches are on the rise and our personal information is at risk. Healthcare data carries a hefty price tag on the black market and cyber-criminals are constantly on the prowl. Hackers are targeting our personal healthcare information and hospitals at an alarming rate. The repercussions of a data breach are significant and often have very serious long-term consequences.
Data Security Laws
The expansion of the Patient Protection and Affordable Care Act (ACA) and the “meaningful use” initiatives of the Health Information Technology for Economic and Clinical Health Act (HITECH) have driven healthcare organizations to adopt new technological measures to meet compliance. These regulatory laws were established to help protect the privacy and security of healthcare information by providing financial incentives for EHR adoption as well as expensive penalties for lack of compliance. As a response to the regulations, many healthcare organizations have become focused on implementing processes and policies for their staff to meet HIPAA compliance, but they are still failing to allocate proper resources to security infrastructure.
The Gap in Implementation v.s Prevention
There is a gap in understanding how to implement the necessary protection and what will be required to ensure data security during its life-cycle. According to new research, organizations are now spending 95 percent of their IT budgets on implementation hoping to meet HIPAA compliance, yet less than 5 percent of their IT budgets are spent on actual IT security. This has increased the probability that healthcare organizations will experience a security breach. After a breach, the remediation costs and the HIPAA fines that follow can cost organizations millions of dollars.
The financial impacts of healthcare data breaches are significant and cyber-security criminals are constantly targeting healthcare organizations. Breaches of personal healthcare information are on the rise in 2019 with an alarming number of records held for ransom or stolen. Breached patient records tripled in 2018 compared with 2017 according to research conducted by healthcare compliance firm Protenus.
Understanding what is required to protect healthcare data from unauthorized access and corruption must be a priority. Hospitals, business associates, and covered entities are learning a valuable lesson: investing in cyber security is crucial and planning for ransomware and phishing attacks must be included in disaster recovery and incident response plans. Organizations have been planning for business continuity for decades for financial systems.
Understanding the Impact
Back in 1985, the Digital Imaging and Communications in Medical (DICOM) standards were created for handling, storing, printing, and transmitting medical imaging data. However, imaging devices were set up in hospitals and clinics before any security measures were standardized. In 2016, Oleg Pianykh, the director of medical analytics at Massachusetts General Hospital wrote a research paper. In his research, he discovered 2774 unprotected radiology servers worldwide. Millions of images and healthcare data, including X-rays, MRIs, and CT scans were discovered unprotected. The files contained names, birthdates, and social security numbers. Millions of patient’s personal healthcare information were unlawfully exposed.
As of today, this problem still exists. ProPublica, an independent non-profit investigative news organization, identified 187 servers used to store and retrieve medical imaging data are still unprotected. They discovered records of 5 million US patients and millions more worldwide. These records are stored in doctors’ offices, medical imaging centers, and by mobile x-ray services. The records were not stolen by cyber criminals. They were simply left unprotected. A simple internet search uncovered insecure servers that contain millions of patients’ personal healthcare data. The systems were found in medical imaging centers, doctors’ offices, and mobile X-ray services.
Bridging the Gap
With data security breaches on the rise, now it is more important than ever to understand healthcare data security issues and how to protect sensitive information. At Improvement Path Systems we take cyber-security seriously. We are a healthcare and data analytics firm with deep expertise in protecting sensitive information. We use a defense in depth approach, combining multiple security controls to protect resources and data. We protect our per perimeter using next generation firewalls. Our staff participates in security awareness and HIPAA training. We combine tried and true on premises cyber security basics with the latest cloud technologies to secure our own, as well as our client’s data. You can learn more about protecting data in our next blog (Part II of the Data Security Series).
About the Author
Anderson King is a Senior Systems Administrator at Improvement Path Systems with over 15 years of experience. Anderson has been a part of the IPS team for over four years. He is responsible for the IPS infrastructure, data security, business continuity, disaster recovery, information technology polices, and standards. He has spent the last 7 years in the Healthcare sector focusing on virtualization, cloud technologies, and securing information systems to meet HIPAA and NIST 800-171 compliance. He holds a degree in Management of Information Systems and is also a Microsoft Certified Professional and a Microsoft Certified Technology Specialist.