[BreachExchange] Yes, Small Hospitals Can Have Big League Data Security

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 24 19:44:38 EST 2019


https://www.hitechanswers.net/yes-small-hospitals-can-have-big-league-data-security/

Healthcare IT security pros face the important and difficult task of
keeping patients’ sensitive data secure. This type of data is a prime
target for cybercriminals, since health records contain more personal data
points than, say, credit card data and cannot just be reissued if a breach
occurs. Consequently, health data sells for far more on the black market
than other types of stolen information.

This underscores the need for a robust healthcare security and compliance
strategy. But for community or smaller regional hospitals, it is often
challenging for IT teams to garner the financial backing and support from
executives that they need to comply with regulations and keep patient data
safe. With the right tools and support, though, it is possible to craft a
culture of privacy and security at small hospitals that will reduce the
number of incidents.

Data, Data Everywhere
A common misconception among community or regional hospitals is that they
don’t need the same level of security as the big players in the healthcare
space. They can’t possibly be as attractive to cybercriminals as the big
medical centers, right? But what they don’t know is that they are more
likely to be targeted due to their perceived weaker security protocol.

Another security threat comes from the healthcare industry’s adoption of
cloud-based applications, which have become business-critical, storing vast
amounts of sensitive or proprietary information. Smaller organizations are
the gatekeepers to massive quantities of patients’ private health
information but may not realize it. Privileged insiders like network
administrators or users with elevated permissions have access to this
information and may carelessly or maliciously misuse it, causing audits,
exposure to risk and heavy fines.

Large healthcare systems have the financial and personnel resources to
dedicate to a robust privacy and security programs. This, in turn, allows
them to better handle the full lifecycle of privacy and security incidents
to drive risk out of their organizations. So, attackers target community
hospitals because they tend to have weaker security measures.

The wider problem here is that the attack compromises more than just their
data. These facilities are actually connected to bigger hospitals through
systems that enable them to gain access to the larger organizations’ data
as well – including the sharing of systems after a merger or acquisition.

This sharing of information is common in the era of electronic health
records (EHRs).

Patients seen at a community healthcare organization sometimes need to go
to a larger organization for treatment. So, the organizations are sharing
patient data. This creates greater risk, as it allows for even more people
to have access to patient records. This trend is increasing as the industry
pushes for more access to health records. How is your small hospital going
to protect them?

Strengthening Your Security Posture
Just because smaller hospitals have limited resources doesn’t mean they are
helpless against today’s cyber-attacks. Here are three primary ways that
community and regional hospitals can protect themselves and their
counterparts:

1. Use Cloud Monitoring
The more insight you have into how users are interacting with your
applications, the more you can secure and optimize your business systems to
produce the best outcomes possible. By monitoring your cloud-based
environment, you can avoid regulatory fines and business interruption and
ensure trust among customers. Monitoring provides the added benefits of
greater visibility into usage and adoption, performance and compliance.
2. Train Your Workforce
Training in compliance, security and accountability helps to create a
strong culture that benefits everyone. Training users on security and
regulations contributes to a successful strategy. Governing and sanctioning
offenders strengthens accountability, but rewarding positive behavior will
further strengthen your culture. The idea is to move towards preventing
data breaches due to insider error rather than discovering them after the
fact.
3. Call in the Experts
Smaller hospitals often lack specialized IT skills, so a third party can
act as a mentor and help monitor your system. A third party takes that
extra monitoring load off IT’s plate and educates the community hospital on
the need to comply with compliance regulations. A service like this can
train new employees and conduct ongoing, targeted training that is more
efficient. A third party can see that a certain region or department had
the most violations in a specific time period and then provide training on
proper use to protect both patient data and the organization.

Small But Strong
Small and regional hospitals are at a disadvantage compared to their larger
counterparts when it comes to compliance and security. But they have to
abide by healthcare regulations, too, or risk not only fines but loss of
patient trust as well – which is so crucial in a healthcare setting. Use
the three steps notes above to stretch resources further and strengthen
your data security and privacy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190124/375b98c4/attachment.html>


More information about the BreachExchange mailing list