As most readers know, last year was a pretty lousy one for healthcare data security. For one thing, there was the spectacular attack on health insurer Anthem Inc., which exposed personal information on nearly 80 million people. But that was just the headline event. During 2015, the HHS Office for Civil Rights logged more than 100 breaches affecting 500 or more individuals, including four of the five largest breaches in its database.
But will this year be better? Sadly, as things currently stand, I think the best guess is “no.” When you combine the increased awareness among hackers of health data’s value with the modest amounts many healthcare organizations spend on security, it seems like the problem will actually get worse.
Of course, HIT leaders aren’t just sitting on their hands. According to a HIMSS estimate, hospitals and medical practices will spend about $1 billion on cybersecurity this year. And recent HIMSS survey of healthcare executives found that information security had become a top business priority for 90% of respondents.
But it will take more than a round of new technical investments to truly shore up healthcare security. I’d argue that until the culture around healthcare security changes — and executives outside of the IT department take these threats seriously — it’ll be tough for the industry to make any real security progress.
In my opinion, the changes should include following:
- Boost security education: While your staff may have had the best HIPAA training possible, that doesn’t mean they’re prepared for growing threat cyber-strikes pose. They need to know that these days, the data they’re protecting might as well be money itself, and they the bankers who must keep an eye on the vault. Health leaders must make them understand the threat on a visceral level.
- Make it easy to report security threats: While readers of this publication may be highly IT-savvy, most workers aren’t. If you haven’t done so already, create a hotline to report security concerns (anonymously if callers wish), staffed by someone who will listen patiently to non-techies struggling to explain their misgivings. If you wait for people who are threatened by Windows to call the scary IT department, you’ll miss many legit security questions, especially if the staffer isn’t confident that anything is wrong.
- Reward non-IT staffers for showing security awareness: Not only should organizations encourage staffers to report possible security issues — even if it’s a matter of something “just not feeling right” — they should acknowledge it when staffers make a good catch, perhaps with a gift card or maybe just a certificate. It’s pretty straightforward: reward behavior and you’ll get more of it.
- Use security reports to refine staff training: Certainly, the HIT department may benefit from alerts passed on by the rest of the staff. But the feedback this process produces can be put to broader use. Once a quarter or so, if not more often, analyze the security issues staffers are bringing to light. Then, have brown bag lunches or other types of training meetings in which you educate staffers on issues that have turned up regularly in their reports. This benefits everyone involved.
Of course, I’m not suggesting that security awareness among non-techies is sufficient to prevent data breaches. But I do believe that healthcare organizations could prevent many a breach by taking advantage of their staff’s instincts and observational skills.