Why it’s critical to emphasize data protection in a digital world
As interoperability becomes more commonplace, healthcare organizations increasingly will need to balance technology integration and cybersecurity in their networks.
While patient care is the focus of every hospital and health system, technology enables that care to be delivered quicker, more deliberately and with more rigor. Connectivity among the various IT systems that form the core of hospital operations helps physicians look at patients more holistically, which facilitates better care decisions.
As patients move from care setting to care setting, hospitals also need interoperability between other facilities such as physician offices, ambulatory care centers, imaging centers and other hospitals.
More hospitals are electronically sending and receiving patient health data than ever before. According to 2021 statistics from The Office of the National Coordinator for Health Information Technology (ONC), 88 percent of hospitals can send or receive electronically, while 75 percent can integrate this information into their EHRs.
Rural and small hospitals trail their urban counterparts, but the interoperability gap is shrinking. The ability to access electronic information at the point of care was 48 percent in 2021 for rural hospitals, compared to 62 percent nationally. Rural hospitals have grown in their ability to access electronic data at twice the national average since 2017.
There’s little doubt that the future of healthcare is interoperable. As hospitals, health systems and other care providers promote interoperability, they also must recognize that healthcare data is highly prized among hackers. Providers must take proactive steps to protect the privileged information flowing through their IT systems.
Centralized monitoring can take the headache out of managing multiple individual security platforms. Using a single dashboard for monitoring can simplify alerting, streamline incident response and improve visibility across the network.
The weak link in an IT network
IT networks are comprised of a dizzying number of software programs, many of which are connected to other systems through APIs. The weakest link in this ever-larger chain is where hackers will concentrate their efforts. Any system — even one not unique to healthcare — can be the culprit.
Through the first four months of 2023, 197 healthcare data breaches affecting 17.4 million patient records have been reported to the ONC. If similar numbers are reported for the rest of the year, the total number of breaches would be down by about 100 incidents from the previous year, but nearly 1 million more records would be affected. In other words, there’s likely to be fewer breaches but more affected records per incident.
More than 5 million breached records can be traced to Fortra’s GoAnywhere secure file transfer software, which reported a hack in early February. The largest victims, so far, include NationsBenefits, a supplemental benefits provider with 20 million members (more than 3 million affected records); Brightline, a virtual pediatric behavioral health coaching and therapy provider (964,000 records); and Community Health Systems, an 80-hospital health system (962,000 records). The software isn’t healthcare-specific and can be used by many industries. A vulnerability in a business associate like Fortra can impact every customer.
According to the ONC, 40 percent of hospitals participate in multiple data networks where information is exchanged. Data interoperability as supported by the Trusted Exchange Framework and Common Agreement (TEFCA) is supposed to “help reduce the number of different networks and methods that hospitals need to use to support exchange,” the ONC states in a recent briefing.
The ONC has also proposed new rules to advance care through technology and interoperability. The updates include how health information moves among systems, improvements to electronic case reporting to support response to future public health emergencies, new data standards, improvements to patient privacy and greater transparency of artificial intelligence (AI) algorithms.
Ongoing and anticipated interoperability efforts place additional burdens on healthcare networks.
Seven steps for protection
Every provider is different, and so is the IT network each organization uses to collect, share, and disseminate data. If followed assiduously, these tips can help keep an organization’s network safe.
Follow security and privacy standards. Follow established security and privacy standards such as HIPAA, NIST CSF and HITRUST. Ensure that all security and privacy controls are implemented and regularly audited.
Use strong authentication. Multifactor authentication is ideal for all remote access or privileged access. Be sure to enforce strong passwords that are changed regularly.
Use encryption. Encryption should be used to protect sensitive data, both in transit and at rest. Use certificates to encrypt data in transit and encrypt sensitive data on devices and in attached storage.
Keep software and firmware up to date. Ensure that all software and firmware is up to date with the latest security patches and updates. Patch management software can help organizations keep track of updates.
Use security analytics. Implement security solutions such as security information and event management, endpoint detection and response, managed detection and response, extended detection and response and internet of medical things that can detect and respond to security threats in real time.
Conduct regular security assessments. Regularly assess your network for vulnerabilities, conduct penetration testing to identify weaknesses that attackers could exploit, and quickly remediate any vulnerabilities.
Implement security policies and training. Develop and implement security policies that outline best practices for network security and provide regular security training to employees.
A continuing process
Interoperability is the key to connected care, where data follows the patient from physician to physician and from care setting to care setting. The number of technology connections continues to grow, as does the need for healthcare IT professionals to protect their IT networks against cyber threats and safeguard patient data.
By using a multi-layered approach to security, hospitals can minimize the risk of data breaches and ensure the security of their IT infrastructure. Centralized monitoring can also help to bring critical metrics regarding the health of a data network to a single platform.
Casey Puccio is manager of cybersecurity operations at Fortified Health Security.