The sheer volume of information generated in today’s healthcare environment is enough to make any chief information officer cringe. But there is another factor to consider these days: On the black market, medical information is 40 times as valuable as a credit card number. If someone’s AMEX number might fetch $1, that same person’s data-rich healthcare record – full of information like date of birth, Social Security number, and other important identifiers, each one the better to establish a new account with – would fetch $40.
But the data itself is not always the biggest prize. Increasingly, hospitals and health systems themselves are being held for ransom as hackers freeze desktop computers, important applications, and laptops until a fee is paid and normal operations can resume. One recent report noted that half of the reported healthcare data security incidents from October 2015 to September 2016 came from healthcare ransomware attacks. The problem has garnered the attention of the director for the Federal Bureau of Investigation specializing in cyber crime — and has created a buzz in the industry on what to do next.
So what are healthcare and technology doing to stay ahead of the curve? If you attend any privacy and security discussion, you usually hear any of the following terms: confidentiality, integrity, access, technical safeguards, administrative safeguards, and physical safeguards. Obviously, there are a number of emerging approaches to address the many facets of protecting vital information, and together they drive a comprehensive approach to mitigating the risks inherent to a digital ecosystem.
We’ve also seen a marked increase in the purchase of cyberinsurance. In the event of a security breach, cyberinsurance helps healthcare organizations cover the cost of placing individuals on credit monitoring, restore or replace compromised hardware, and pay legal fees. A more technical and prevention-oriented approach is to conduct a “penetration test.” These tests are carried out by “white hat” hackers who work closely with a sponsoring organization to break into its system and find vulnerabilities before the bad guys do.
Finally, education remains a critical component. Even the most dedicated employee can unwittingly expose an organization to potential threats. The point of entry for many external threats and nefarious actors, sadly, is YOU! We learned this all too well during last year’s presidential campaign, when a phishing scam (emails that look legitimate but contain a bit of malware that lifts information from your computer) sowed chaos at the Democratic National Committee. It’s also what took down Baystate Health in Springfield, Massachusetts, where a phishing scam potentially exposed the personal data of 13,000 patients in October 2016. So if you get an email from a stranger, or a promotion, that even suggests that it might not be legit, assume it’s a trap. Do not open it; send it directly to spam and notify your IT department.
Another growing area of focus is mobile device management (MDM) platforms. These platforms allow mobile devices to be remotely monitored, wiped, and controlled by system administrators. The benefit is that much of your personal data contained on corporate devices can be walled off.
In my class Privacy and Security for Healthcare Professionals, students create a phishing email designed to reset passwords, enter a system, and redirect the user to an informational and educational video. I also spend some time exposing students to the advances in encryption and fundamentals of basic encryption. Groups of students post encrypted messages to Blackboard only to be intercepted and “hacked” by their peers. The result is a fun interaction that exposes students to both approaches and helps them appreciate the technical sophistication they need to meet and surpass current encryption standards.
Thomas Martin, PhD, is an assistant professor and the graduate program director of the Division of Health Information Management in the Department of Health Services Administration and Policy. He’ll be giving a talk titled Cybersecurity: The Next Frontier for Students and Educators in Healthcare Management at the AUPHA Annual Meeting this summer on how to inform educators from across the globe on the fundamentals of teaching cybersecurity to the healthcare work force of tomorrow.