(Guest blog written for the Arizona Hospital and Healthcare Association)
In today’s increasingly interconnected digital world, how can we best ensure that our health data is safe? Healthcare data breaches happen, including locally. Fewer than two years ago, one of Arizona’s largest healthcare providers experienced a breach that exposed the personal information of as many as 3.7 million Arizona patients and employees, reinforcing the need for all of us to be more rigorous and proactive. Hospitals AND patients must do more! Here are 7 steps to improve our defenses.
1. Analyze the risk landscape
How can you defend against an attack you’re unaware of in the first place? Look at your defenses like a hacker would to uncover as many weaknesses as possible. Then, prioritize: The discomforting truth is that hospital resources are too limited to prevent every conceivable attack, but a proper analysis will reveal both the most-likely and most costly dangers.
2. Constantly monitor your security program
In 2017, the healthcare industry accounted for 25% of all data breaches. Clearly, for a hospital, being secure must go beyond just being HIPAA compliant. A well designed security program operated improperly can be worse than no plan at all, as it lulls you into a false sense of security. You have to continually monitor and invest in your processes and technology to make sure they perform as designed. Such efforts will help you evolve your program more quickly as your risk landscape evolves.
3. Test, test, test
You have policy and procedures, but are they followed? You have configuration standards, but are they applied? Your program should be frequently tested to make sure that it has been implemented securely and maintained accordingly. Lax attitudes about upkeep contribute to a startling fact: Hackers spend an average of 99 days inside systems undetected. Implementing a timely and comprehensive internal audit program provides peace of mind that your program is operating as expected.
4. Train your staff
93% of cyber attacks are caused by human error or behavior. Don’t leave your staff unprepared for the defense of your data. Implement a training program for each role that clearly defines responsibilities and provides the knowledge to implement them. Turn your staff from your weakest link to your strongest asset.
And for patients:
5. Understand who has your data and how it’s being used
HIPAA requires that organizations notify you of the data they have collected and how it’s shared with other parties, so take the time to read the information disclosure.
6. Be selective about the information you share with third parties
As no defense can be flawless, taking responsibility for your own protection where you can is paramount. So consider carefully if the benefits of sharing your data is worth the risk. It’s within your rights to request your health data not be shared with particular people, groups, or companies. And remember: The data you don’t provide is the only data that is breach-proof.
7. Exercise your right to know who has accessed your data.
If you believe your information has been accessed in an unauthorized way, it’s your right to retrieve a list of all individuals who have accessed it from the health plan or healthcare provider. The Department of Health and Human Services provides comprehensive information of your rights and how to exercise them here.
With knowledge, training and dedication we can limit the scope and expense of data breaches, making Arizona a safer and healthier state!