Security Awareness for Healthcare Professionals
The healthcare industry has experienced a major change with electronic records enablement which replaced traditional paper-based medical records. This shift improved the efficiency of delivering health care services to the clients/patients and minimized insurance fraud as well as billing errors. However, shifting to an electronic mode of medical data storage calls for additional awareness and responsibility by healthcare professionals to protect the stored information against possible data breach.
Health information data breach is known as a medical data breach, which may include breach of medical billing information (from health insurance) or personal health information of patients from the electronic records of individuals. Any data breach has to be reported to the federal government and the individual affected as per law in the United States.
Medical field professionals should always be well informed regarding their liability towards safeguarding patient information. A privacy breach not only accounts for hefty fines in the range of $1,500 per breach, but also accounts for ethical as well as moral considerations. For example, let’s look at the HIPAA fine of $1.725 million imposed on Concentra Health Services. The breach happened due to an unencrypted laptop containing patient records that got stolen from the Springfield Missouri Physical Therapy Center. When it comes to protection of personal information and storage of medical records, patients or clients usually take matters very seriously. Highly confidential medical information is at risk with the increasing number of cases involving identity theft. Therefore, it is becoming more and more important for healthcare professionals to develop increased security awareness.
The Importance of Healthcare Data Protection
Although the main focus of healthcare professionals should be on providing healthcare services of superior quality to their patients, they cannot ignore the importance of protecting patient information. Thus, they should have adequate awareness regarding cyber security as the number and frequency of data breaches is increasing rapidly. It is noted that the majority of these data breaches occur due to human error such as the breakdown of physical security (door left open) or technical errors (User ID or Password not kept protected/sharing of account credentials).
Healthcare industry professionals always look to support their patients and protect their health as well as personal information. They do not intentionally want to do anything that may adversely impact the patient’s health. The motto of health IT is to provide faster, more efficient and more cost-effective care to the patients through the use of improved hardware and software technologies that already proved efficient in transforming other industries. However, potential cyber risks should be considered, and adequate security must be employed. Providing healthcare professionals with proper security awareness is an essential part of the security measures to be taken.
Training of Security Awareness
The healthcare sector can be regarded as one of the most information-intensive industries. Our day to day life and health is critically impacted by our personal health data. To continue innovation within the health industry, it is highly essential to maintain integrity and confidentiality of personal health data.
Being an information intensive industry, the healthcare sector remains a primary target for cyber attackers with the ever increasing instances of cybercrime.
As per IBM X-Force Research in 2015, the healthcare sector remains the most commonly attacked industry. The main reason behind this frequent attack is the fact that healthcare industries lack the expertise to handle the cyber security of its massive database. Moreover, it has a limited understanding of the justification and nature of cybercrime threats.
The rapid and continuous change in technologies further compounded the situation. Every day the information arena is experiencing the development of some new methods to generate sensitive information. PWC research estimated that 86% medical practitioners believe that in the next few years mobile apps will become a significant component of health management of patients. This will again call for a new level of data protection that was not experienced before.
These situations clearly show the importance of building the security awareness of healthcare professionals and the need for a good security awareness program to educate them. A good security awareness protocol uses knowledge and education to handle all forms of threats to security. Improving security awareness of healthcare professionals involves bringing everyone in the sector under the same training umbrella to ensure equal spreading of cyber security knowledge at every level of the organization. Security awareness to healthcare professionals revolves around:
- Generating a pro-active security culture
- Understanding attacks in relation to the wider security landscape (for example, knowing the consequence of phishing)
- Building respect towards the privacy of individuals
- Understanding the meaning of PHI or Protected Health Information and why one should protect it
- Understanding that security is part of the whole organization and impacts everyone
- Knowing the impact of privacy and security rules that apply to the healthcare industry
Security awareness should become an integral part of the overall security strategy of the healthcare industry to prevent possible cyber attacks.
Healthcare organizations have countless things to look after, such as providing patient care of the highest possible quality, retaining financial viability as well as leveraging information technology to improve the operational standard. Still, health care organizations have to give equal priority towards maintaining high-quality security settings to prevent any possible data breach. Raising cyber security awareness among health care professionals also involves making them aware of the consequences of errors in individual actions (such as clicking malicious links that can compromise the whole network and lead to data breach).
Recommendations Regarding Security Awareness of Healthcare Professionals
According to the FBI, cyber attackers can get as much as $50 per record, which accounts for information worth over $500 million at stake. The higher lifespan of healthcare information (in years as opposed to months in case of credit card information) makes them much more valuable. Surprisingly, even under these circumstances healthcare professionals get minimum training on security awareness. Only 38% of healthcare professionals get security training twice a year, while 49% get it only once a year. Moreover, only 7% get some security training when they are hired for the first time and alarmingly, 6% of health care professionals never get any such training.
Inadequate awareness training leaves health care organizations vulnerable to cyber-attacks, as evident from the increasing incidences of data breach in recent years. As per the KPMG reports, around 81% of health care organizations experienced incidences of data breach in the last year.
Building a robust security awareness program is the first line of defense against such attacks.
Some basic steps to raise the security awareness of healthcare professionals are as follows:
- Regularly update the security awareness program content as methods and means of attack are constantly changing with the availability of new technologies.
- It is better to have interactive sessions rather than showing a series of presentations and videos on security awareness. It has been observed that most of the employees give very little attention to these videos or presentations. However, some interesting ones can be used in between the interactive sessions.
- There is a difference between security training and cyber awareness programs. While security training provides users with specific knowledge and is generally intended for short-term conception-building, security awareness programs usually strive for behavioral changes in the individuals, thereby strengthening the overall security culture. It is a continuous and long term process that ensures discipline in building abilities, skills and knowledge within the health care professionals to enhance hospital security.
- Security awareness programs should be made mandatory to every health worker and not kept as an optional extra. Every individual related to the health care industry has a role in enhancing hospital security and most of the attacks happen due to the actions of employees with limited security awareness (clicking bad links).
- It is better not to focus only on the compliances imposed by HIPAA, HITECH or federal regulations. The security awareness program should be processed for continuous adaptation and improvements with the changing technology and pattern of business. The nature of threats will also change as cyber attackers will utilize new strategies to steal data.
- Support from top executives and management is extremely essential as they can lead by example through their participation in security awareness programs.
- Ensure that employees have some fun while attending the sessions. Make the sessions interactive and try to include some games or quizzes or competition sessions.
- Spread reminders, newsletters, posters, blogs and tips in email to continuously keep employees updated and on their toes. Use the free resources available through organizations such as SANS Newsletters or MS-ISAC.
- It is important to focus on the behavioral changes regarding cyber awareness in the personal life of employees including their home and family. This will help in the overall improvement of security culture among them. Employees usually have more attentiveness away from work settings with their family at home.
- The awareness programs must encourage feedback, ideas, creativity and active participation of the health care professionals. Evaluation of the program is important for further improvement.
Changing security culture is a hard process and takes years of continual effort to see results. It is not a simple endeavor so be focused to achieve the desired outcome.
What happens when data is breached?
The answer to the above question illustrates why we need security awareness of healthcare professionals. In the US, privacy and security cut across several legal frameworks. A number of guidelines and legislations are there to cover privacy and data protection focusing on healthcare industries. Protected Health Information or personal information is covered by two main healthcare legislation areas, the HIPAA or the Health Insurance Portability and Accountability Act and HITECH or Health Information Technology for Economic and Clinical Health. These two acts are there to work together covering the entire security expectations of the healthcare sector, which also involves the business associates of healthcare providers. The act requires disclosing incidences of data breaches to the affected individual and the government.
The fines associated with HIPAA and HITECH breaches are often very costly. Here are some examples of a few recent incidences of imposed fines:
- HIPAA fine of $4.8 million imposed on the New York and Presbyterian Hospital and Columbia University for the PHI breach of 6,800 individuals
- HIPAA fine of $4 million imposed on the Stanford Hospital & Clinics for 20,000 exposed patient records. The breach was caused when a business associate posted the patient records on a website that was accessible to the public.
Security awareness of healthcare professionals is important as a data breach contradicts the layer of ethics associated with the health care system. However, lack of security awareness and risky behavior has become part of health care organizations. Healthcare professionals often admitted that they kept information at risk in the workplace. Security awareness is beneficial to both healthcare organizations and professionals. Cyber attacks can be minimized through good security practice of individual workers. As cyber attacks on healthcare industries become more prevalent, improving the security awareness of healthcare professionals will be even more important.
The situation is even more critical to the imposed legislative compliance needs. Generating an educated workforce with the understanding of the cyber security implications is essential to the security strategy of the healthcare industry. The presence of the human element in most of the recent data breach incidents also compounded the condition and called for better security awareness among health care workers.
Proper means of addressing any possible breach
All types of security problems can be resolved by the IT industry. However, in case a breach has taken place, it is important to know what to do at that critical moment other than panicking.
Immediately address the breach: The first step is to make sure no further breach takes place through the same loophole. Detect and address the security flaw immediately. Locating the reason for the data breach such as the server, human error or physical security lapse is important so that damage can be minimized.
Form a team of experts to handle the situation: Forming an expert team capable of handling the breach is essential. Without a team, it is impossible to follow up the process of informing the authorities on the breach and taking help from the legal department.
Properly test security after fixing the lapse: After resolving the problem, it is important to test the system and ensure that the flaw is completely resolved. Being counteroffensive is vital, even before reporting the breach to the individuals and the government.
Notify the outside parties: After resolving the security problem, it is imperative to start notifying the internal legal cell, local authorities, and public relations section. Although there is often a set time within which a health care breach has to be reported, stopping further breaches should always remain the priority.
Solving other related matters: Sometimes even the most obvious issues get overlooked. Therefore, long-term implications of the breach should also be considered while resolving breaches. Quickly fixing the security flaws that caused the breach may be faster, but this should be followed by a thorough remedial process that may take much longer. Locate potential flaws that may get attacked in the future. Once attacked, health care organizations should continuously analyze their infrastructure and cyber security and test it at regular intervals.
Cyber security involves health care workers which include every individual in the system ranging from researchers, administrators, front desk workers, medics (laboratory technicians, nurses, consultant and social workers), transcriptionists, handlers of medical claims to IT and technical staff. In a chain, the human touch point always remains a potential weak link. Cyber attackers use this weak point to steal data through social engineering (such as phishing). Increasing the security awareness of healthcare professionals is the most potent tool to fight against such attacks. However, security awareness is not limited to fighting against social engineering and involves the creation of a culture of security.
The incorporation of HITECH Section 13407 increased the number of stakeholders required to be included in the culture of security awareness. It is extended to cover every associate of the business interacting with PHI and personal information. Thus a vastly diverse group is created among the health care stakeholders who need to have a sound understanding of the healthcare security scenario. Proper knowledge of healthcare security also enables them to adhere to the security rules of HIPAA and HITECH. Security awareness of healthcare professionals will only provide positive outcomes to the entire healthcare industry and related sectors.