By Mackenna Moralez, Assistant Editor

Digital operations allow healthcare facilities managers to address the evolving needs of patients, but some patients are not willing to give their personal information to a computer for fear of it getting exposed. Maintaining patient privacy is a top priority for hospitals and other healthcare facilities, but that emphasis by itself doesn’t prevent cyberattacks.

“Healthcare facilities continue to be attractive targets for security breaches due to their size and the centrality of sensitive personal data,” says Michael Borromeo, vice president of data protection at Stericycle, which provides compliance training and medical waste disposal services. “Attackers can access valuable data at scale through a single entry point. To both identify and defend against attacks, healthcare facilities must continuously monitor and assess their systems, data warehouses, and public and private clouds. Healthcare organizations should also be aware of and actively manage their physical paper trail. Only 27 percent of healthcare organizations surveyed have a paper shredding service to aid records management programs and protect against data breaches, leaving them more vulnerable to tampering and mismanagement of records and documents.”

In the last three years, more than 200 hospitals have fallen victims to cyberattacks, but only 65 percent of healthcare facilities officials believe their organizations have the appropriate security tools and resources, according to the 2021 Shred-It data Protection Report. Less than one-half of healthcare facilities conduct routine monitoring and risk mitigation processes, such as vulnerability assessments— 33 percent — or infrastructure auditing — 48 percent. This leaves room for improved preparedness.

“Currently, 58 percent of surveyed healthcare organizations said they have an incident response plan, which means just under half may not be prepared to handle a data breach, Borromeo says. “Without an incident response plan in place, healthcare organizations risk both material and reputational fallout from any kind of breach or exposure. As a result, it’s imperative that efforts are taken to put protocols in place.

“While this can be a challenge for smaller hospitals or healthcare facilities that lack the infrastructure or resources to implement protective measures, they should consider partnering with third-party security providers that have the proper expertise to address areas of need, whether it’s via plan building, monitoring, and response capabilities or controls testing and implementation. Doing nothing is no longer an option, so engaging partners on an as-needed basis provides for flexibility in how limited resources are deployed.”

It is up to managers to ensure that patients’ and residents’ personal information is safe. With 54 percent of healthcare systems saying a date breach would be critical to its reputation, it is crucial that organizations are transparent and regularly communicate with residents and patients about the way their information is being used, stored, shared and protected. This open dialogue builds trust within healthcare facilities.

Not only should facilities have visible operations. They should regularly review their information security protocols to make sure sensitive patient and resident information is safe.

“Should a cyber event occur, organizations must have a response plan in place to identify, track, and mitigate risks,” Borromeo says. “Those affected must receive a notification, which communicates any necessary actions for them to take (such as changing of passwords), describes the immediate steps that the company is taking, and provides assurance that the company is doing everything in its power to resolve the situation.”.

Along with routine monitoring, cybersecurity task forces can prevent future attacks. Protecting critical information is everyone’s responsibility within a healthcare facility, so having representatives take more responsibility can improve awareness of risks and attack vectors.

“We cannot say this enough: data protection is not optional,” Borromeo says. “Data breaches and outages resulting from ransomware attacks will only continue to increase as more medical devices are utilized by doctors and patients, which contributes to the exponential growth of data, and thus, is at risk of compromise.”

“As a result, organizations must be vigilant and implement incident-response plans, actively monitor their systems and data, and evaluate the security aptitude and quality of their third-party partners and service providers. Implementing proactive information security practices, procedures, and controls must be a part of every healthcare organization’s operational strategy. It is non-negotiable, as human lives are literally on the line.”

Mackenna Moralez is the assistant editor of Healthcare Facilities Today.