The good thing about cybersecurity is that nobody cares about the data of healthcare providers.
Oh wait a second…
While you care about saving your organization money, you don’t focus on one of the costliest health care issues you’ve faced in recent years: cybersecurity breaches. Estimates show that each noncompliance costs a provider more than $400 per patient. And 2018 so far has been a banner year for healthcare data exposure. In April alone, breaches affected almost 900,000 people.
And that’s just what was reported.
But IT, especially cybersecurity, is not your department. Why should you make this your problem? The answer is simple: because the next violation could be your fault. That’s not that we are harsh; it’s just a fact. Incidents originating from hackers are in the minority.
Most violations stem from carelessness or simple mistakes.
So what can you do to prevent data breaches in your organization?
1. Control access
Just as important as how people access your system is who accesses it. We hope you will not allow any elderly patients to walk freely from the ER through the hallways. (Though we all know there are still hospitals where you can walk straight from the front door to the OR without once flashing a badge or turning a key.)
So make sure that the people who can access your areas can, too. That might seem self-explanatory, but just think about how many places your keys take you. Are there computers or tablets in those rooms?
And that’s just the most basic form of access. At the cybersecurity level, different people should have access to different types of provider and patient records. And each of those access levels must be password protected.
Now think about your coworkers. You probably know one of her passwords. How many people know yours?
Speaking of…
2. Create strong passwords
Every website has a different (annoying) requirement for their passwords. Case, case, punctuation, but not that punctuation, and so on. That’s probably why you have a few variations of the same password that you use everywhere.
Doesn’t that make it easier for someone with access to your password in one place to guess it everywhere?
Do you know who uses the same password for everything? Manufacturers. Anything they submit that requires a password starts with a default value. So what happens when a hacker can find the default password for, say, an Internet-connected MRI machine? That hacker can break into any Internet-connected MRI machine.
Unless the hospital changed the default password as soon as the machine was purchased.
Seriously, change your passwords. (And no, P4ssw0rD123 is not a safe option.)
3. Understand what you have
Speaking of Internet-connected devices, what do you know about the Internet of Things? All devices in your hospitals that connect to the Internet must be secure.
And notice that we didn’t say “all the devices that they brought into their hospitals.” Every laptop and iPad, even every internet-connected pacemaker, that walks through your doors opens you into a breach.
Make sure you have custom passwords and network connections for all devices connected to the Internet, and control what users do on those connections.
4. Update your technology
This one is pretty straightforward. The older a system is, the more vulnerable it is. Technology from a year ago has fewer safeguards than something released today, and the further back you go, the more time hackers have had to figure out how to penetrate those defenses.
There was a documentary in the 1980s about a teenager almost starting World War 3 on a relatively primitive computer. Imagine what today’s hackers could achieve on those old systems.
(Okay, it may not have been a documentary. But we stand by our point.)
5. Prepare for the worst
Something bad will happen. Sorry, it just will. What you should do as soon as a breach is discovered, whether it’s a thief who left the hospital with a laptop or an employee who accessed patient records on McDonald’s Wi-Fi (please, please, don’t use non-networks). safe to do business ) – non-compliance must be reported.
Your organization needs a plan to deal with breaches. And that’s not entirely on your shoulders. Discuss it with IT, the people you report to, and the people who report back to you. Find out the best way to recognize a violation and what steps to take from there.
It doesn’t have to be your fault that the wrong people get access to your company’s or your patients’ information. But if you don’t take steps to strengthen your cybersecurity, it will.