Anyone who's set foot in a hospital knows how busy and chaotic even the most organized healthcare facilities can be. Modern healthcare is complex, it's nonstop and it's growing rapidly. With all this movement and progression, it's natural to experience some expected growing pains. But it's also true that in the midst of our digital age, something much more sinister lurks: healthcare data breaches.
Cyber attacks are on the rise in the healthcare industry. In fact, 2016 data breaches resulted in nearly 16.5 million patient records being exposed. Hackers have come to view hospitals as a prime target, considering the massive amount of sensitive data they hold within their systems. As such, healthcare organizations are in need for qualified professionals to help stave off these attacks and keep patient information safe.
The professionals on the frontlines of healthcare cybersecurity work within the health information management (HIM) sector. Health information management is responsible for the accuracy, security and privacy of patient records. As more and more hospitals are switching to electronic health records and electronic health systems, professionals in HIM will be called upon to work with and protect this information.
We dug into the details of HIM and healthcare cybersecurity so you can understand how and why this field is so critical to preventing hackers from stealing your personal health information.
Nearly 90 percent of healthcare facilities and organizations have been impacted by data breaches in the last two years, with an average cost of $2.2 million per hack. Oftentimes these incidents involve the use of ransomware by hackers to lock facilities out of their electronic healthcare systems, holding coveted information hostage until a large pay-out is met. In other cases, hackers work to steal personal information such as social security numbers, addresses, birthdays and even confidential health information to sell on the Dark Web.
One of the biggest and most recent healthcare hacks occurred within Britain's National Health System (NHS). A vicious ransomware called WannaCry took captive thousands of computers within the healthcare system, spanning 200,000 victims across 150 countries. Doctors and other healthcare professionals were called upon to pay $300 a piece to appease hackers and have their information "freed."
While the individual cost doesn't seem all that detrimental, the overall pay-out ventured into the tens of thousands. Had all parties paid the ransom, however, rough calculations have suggested the hackers would've walked away with at least $60 million. In addition to the financial impact, healthcare workers were not able to access test results, x-rays and appointments, leaving both doctors and patients at a loss.
The WannaCry hack was one of the largest malware hacks in history, but it is only one of many. Closer to home, there have been attacks on insurance companies such as Anthem Blue Cross (in 2015, with almost 80 million people affected) and Banner Health (in 2016, with more than 3 million people affected), as well as healthcare providers such as Washington University, where 80,000 patient records were compromised in 2017.
With cyberattacks on healthcare providers up 320% from 2015 to 2016, it is crucial that hospitals, medical companies and other healthcare professionals tighten up their security.
One of the most important roles in healthcare's defense falls to health information managers. As professionals in HIM deal with some of the most sensitive hospital and patient data every day, it falls on them to comply with privacy rules and laws.
"Cybersecurity should already be baked into roles of your health information management tools, processes and people," says Dennis Chow, chief information security officer at SCIS Security. One of these processes is following the Health Insurance Portability and Accountability Act (HIPAA) security rule.
The HIPAA security rule is a large safeguard for electronic health records. The federal government states that the HIPAA security rule "establishes national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity."
Chow explains that this rule is followed by having security measures such as password authentication, encryption and role-based access controls. In essence, electronic health records should only ideally be accessible to those who have clearance and authorization.
However, human error can lead to breaches, which is why HIM professionals need to be especially vigilant in their work. Sharon Block, CEO of World Forward Foundation, says, "If someone prints out patient sensitive information and then throws it in the trash without shredding, there can be devastating consequences. We must create clear roles and responsibilities when it comes to healthcare employees and access to web health records and data."
For HIM professionals, several measures can be taken to ensure breaches and hacks do not happen because of human error. Consider the following four:
1. Never share login credentials with anyone, no matter what authorization or clearance they may have.
2. Always log off your computer when you step away or stop using it.
3. Properly dispose of any printed information you do not need - do not leave sensitive patient records laying in plain sight. Shred them if possible.
4. Do not open any suspicious emails or attachments. While some malware can spread between networks, many ransomwares and phishing scams occur from email attachments. Be on the lookout for emails asking you to click on links, download files or provide personal or company data. Even if the source seems to be from your company, always double check.
Following these steps can better protect your company's data, saving hundreds — if not thousands — of patients from losing valued personal information. As a healthcare professional, it is important that you are vigilant and careful in your work. Patients and healthcare organizations depend on you!
Technology changes every day, for both the better and worse. As hospitals become more digitalized, qualified professionals like you will be needed to defend data and ensure the security of patient information.
If you are interested in stepping onto the frontlines of healthcare cybersecurity and pursuing a career in healthcare and electronic health records, there are a couple different routes you can take. Find out more about each by visiting our article, "Health informatics vs. HIM: Which master's track is right for you?"