By Neil Hartley, U.S. head of operations, Morphis
Healthcare is losing over $2.2 million per data breach, and that doesn’t include additional losses in customer information. Since 2009, almost half the population has had their healthcare data stolen as a result of one of approximately 1,500 data breaches. So, why aren’t healthcare companies doing more to address this problem? There are a couple of reasons, both of which can be attributed to the fact the healthcare industry is, at its core, outdated.
According to the results of a Lieberman Software survey of 140 Microsoft Ignite 2016 attendees, 43 percent of respondents said they find it difficult to secure data in the cloud, reinforcing the notion most IT professionals do not trust cloud security providers with sensitive data.
In addition to the trust issue with cloud data encryption, there have been complications relating to HIPPA and the cloud. The data protection regulations put in place by The Department of Health and Human Services (HHS) date back to the 1990’s, making it difficult to reconcile them with the quickly evolving demands of cloud security. In an attempt to begin working the cloud into HIPAA regulations, HHS issued a guide in October explaining which situations the cloud is appropriate for, how to protect data, and how cloud providers that offer online access can responsibly protect data.
HIPAA compliance has created many hurdles for healthcare providers, but there are a number of solutions that can be put in place to address this problem.
Healthcare providers hold some of the most intimate data and as a result, updated security should be top of mind for healthcare organizations. According to a Symantec report, the healthcare industry invests less than 6 percent of its technology budget on security, or about half of what the financial industry spends, for comparison.
So, what security measures can be put in place? First, in order to better protect themselves and their patients, healthcare organizations need to immediately develop and implement multilayered security programs to protect their systems, their employees, and their patients. Access to systems needs to be controlled through extensive authentication and identification. By implementing a combination of manual and technical controls, in addition to enhancing security awareness training, healthcare organizations can more effectively protect the sensitive data entrusted to them by their patients.
According to a CIOL article, data encryption provides a simple and effective way to secure data. By limiting data access to only those with the right keys, the encryption software locks out those without proper identification. By encrypting their data, healthcare providers not only meet compliance requirements, they also remove any worries about disk retirement or physical compromise of the cloud environment.
Unfortunately, even the most advanced data encryption isn’t sufficient when healthcare organizations fail to properly train their employees on security practices. Cybersecurity involves more than protecting sensitive data, though, as human error can compromise an enterprise’s security, as well. If an organization places too much emphasis on one factor over another, they may leave themselves at risk to a cyberattack.
Update Legacy Systems
Healthcare providers are relying on outdated software systems to store patient records, which are far more susceptible to breaches than modern systems. The longer a provider stores patient records and the greater the volume of records stored in a system, the more susceptible those records are to a breach. From a patient protection and IT security/risk management standpoint, exposure to these often precarious systems poses a threat not just from data breaches, but can also represent an existential threat to the organizations themselves.
Legacy systems are preventing healthcare organizations from harnessing the digital technologies they need to grow and become more efficient. It is critical to ensure technology stacks are up to date, which may require the modernization of legacy applications in order to support the needs of modern business — and more importantly — protect patients as best as possible.
The future of healthcare technology is both exciting and scary as the IT industry innovates at lightning speed, leaving providers to play catch-up. In this way, by updating legacy systems and training employees on proper security practices, healthcare providers can get ahead before it’s too late. And, when disaster strikes, having data backed up and planning for ransomware attacks can be the difference between a close call and the loss of millions of patients’ data.
About The Author
Neil Hartley is the U.S. head of operations for Morphis, an enterprise legacy-to-cloud software company based in Portugal and with offices in the U.K., Spain, and Brazil, with its U.S. headquarters in Boulder, Co.