The good thing about cybersecurity is that no one is interested in data from healthcare providers. While you’re worrying about saving your organization money, you’re not focusing on one of the costliest problems healthcare has faced in recent years: cybersecurity breaches. Estimates show that each breach costs a provider over $400 per patient. And 2018 so far has been a banner year for cybersecurity healthcare data being exposed. The breaches in April alone affected nearly 900,000 people.
And that’s just what was reported.
But IT – especially cybersecurity – isn’t your department. Why should you make this your problem? The answer’s simple: because the next breach might be your fault. That’s not us being harsh; it’s just a fact. Incidents originating from hackers are in the minority.
The majority of breaches come from carelessness or simple mistakes.
So what can you do to prevent data breaches in your organization?
1. Control Access
Just as important as how individuals access your system is who accesses it. You wouldn’t let any old patient walk freely from the ER through the halls, we hope. (Although we all know there are still hospitals where you can walk straight from the front door to the OR without once showing a badge or turning a key.)
So make sure that the individuals who can access your areas should. That might seem self-explanatory, but just think of how many places your keys get you into. Are there computers or tablets in those rooms?
And that’s just the most basic form of access. On a cybersecurity level, different people should have access to different types of provider and patient records. And each of those access levels should be password-protected.
Now think about your coworkers. You probably know one of their passwords. How many people know yours?
2. Create Strong Passwords
Every website has an different (annoying) requirement for their passwords. Uppercase, lowercase, punctuation – but not that punctuation – and so on. That’s probably why you have a few variations of the same password that you use everywhere.
Doesn’t that make it easier for someone with access to your password in one place to guess it everywhere?
You know who uses the same password for everything? Manufacturers. Anything that they ship out that requires a password starts with a default. So what happens when a hacker can find out the default password for, say, an MRI machine connected to the internet? That hacker can enter any MRI machine connected to the internet.
Unless the hospital changed the password from the default as soon as the machine was acquired.
Seriously, change your passwords. (And, no, P4ssw0rD123 is not a secure option.)
3. Understand What You Have
Speaking of devices connected to the internet, what do you know about the Internet Of Things? Every device in your hospitals that connects to the internet needs to be secure.
And notice we didn’t say “every device that you brought into your hospitals.” Every laptop and iPad – even every internet-connective pacemaker – that comes through your doors opens you up to a breach.
Make sure you have custom passwords and network connections for all internet-connected devices, and monitor what the users are doing on those connections.
4. Update Your Technology
This one’s pretty straightforward. The older a system is, the more vulnerable it is. Technology from a year ago has fewer safeguards than something released today, and the further you go back, the more time hackers have had to find out how to penetrate those defenses.
There was a documentary in the 1980s about a teenager who almost started WWIII on a relatively primitive computer. Imagine what the hackers of today could accomplish on those old systems.
(Okay, that might not have been a documentary. But we stand by our point.)
5. Prepare For The Worst
Something bad will happen. Sorry, it just will. What you need to do as soon as a breach is discovered – whether it was a thief walking out of the hospital with a laptop or an employee accessing patient records on McDonald’s wifi (please, please, please don’t use unsecured networks to conduct business) – the breach needs to be reported.
Your organization needs a plan in place to deal with breaches. And that’s not totally on your shoulders. Discuss it with the IT department, the people you answer to, and the people who answer to you. Find out the best way to own up to a breach and what steps you take from there.
The wrong people getting their hands on your company’s information – or your patients’ – doesn’t have to be your fault. But if you don’t take steps to strengthen your cybersecurity, it will be.