Protecting Patient Data Goes Beyond Policies

With cyberattacks on the rise, every healthcare worker is responsible for protecting patient information

By Mackenna Moralez, Assistant Editor
November 23, 2021

Digital operations allow healthcare facilities managers to address the evolving needs of patients, but some patients are not willing to give their personal information to a computer for fear of it getting exposed. Maintaining patient privacy is a top priority for hospitals and other healthcare facilities, but that emphasis by itself doesn’t prevent cyberattacks.

“Healthcare facilities continue to be attractive targets for security breaches due to their size and the centrality of sensitive personal data,” says Michael Borromeo, vice president of data protection at Stericycle, which provides compliance training and medical waste disposal services. “Attackers can access valuable data at scale through a single entry point. To both identify and defend against attacks, healthcare facilities must continuously monitor and assess their systems, data warehouses, and public and private clouds. Healthcare organizations should also be aware of and actively manage their physical paper trail. Only 27 percent of healthcare organizations surveyed have a paper shredding service to aid records management programs and protect against data breaches, leaving them more vulnerable to tampering and mismanagement of records and documents.”

In the last three years, more than 200 hospitals have fallen victims to cyberattacks, but only 65 percent of healthcare facilities officials believe their organizations have the appropriate security tools and resources, according to the 2021 Shred-It data Protection Report. Less than one-half of healthcare facilities conduct routine monitoring and risk mitigation processes, such as vulnerability assessments— 33 percent — or infrastructure auditing — 48 percent. This leaves room for improved preparedness.

“Currently, 58 percent of surveyed healthcare organizations said they have an incident response plan, which means just under half may not be prepared to handle a data breach, Borromeo says. “Without an incident response plan in place, healthcare organizations risk both material and reputational fallout from any kind of breach or exposure. As a result, it’s imperative that efforts are taken to put protocols in place.

“While this can be a challenge for smaller hospitals or healthcare facilities that lack the infrastructure or resources to implement protective measures, they should consider partnering with third-party security providers that have the proper expertise to address areas of need, whether it’s via plan building, monitoring, and response capabilities or controls testing and implementation. Doing nothing is no longer an option, so engaging partners on an as-needed basis provides for flexibility in how limited resources are deployed.”

It is up to managers to ensure that patients’ and residents’ personal information is safe. With 54 percent of healthcare systems saying a date breach would be critical to its reputation, it is crucial that organizations are transparent and regularly communicate with residents and patients about the way their information is being used, stored, shared and protected. This open dialogue builds trust within healthcare facilities.

Not only should facilities have visible operations. They should regularly review their information security protocols to make sure sensitive patient and resident information is safe.

“Should a cyber event occur, organizations must have a response plan in place to identify, track, and mitigate risks,” Borromeo says. “Those affected must receive a notification, which communicates any necessary actions for them to take (such as changing of passwords), describes the immediate steps that the company is taking, and provides assurance that the company is doing everything in its power to resolve the situation.”.

Along with routine monitoring, cybersecurity task forces can prevent future attacks. Protecting critical information is everyone’s responsibility within a healthcare facility, so having representatives take more responsibility can improve awareness of risks and attack vectors.

“We cannot say this enough: data protection is not optional,” Borromeo says. “Data breaches and outages resulting from ransomware attacks will only continue to increase as more medical devices are utilized by doctors and patients, which contributes to the exponential growth of data, and thus, is at risk of compromise.”

“As a result, organizations must be vigilant and implement incident-response plans, actively monitor their systems and data, and evaluate the security aptitude and quality of their third-party partners and service providers. Implementing proactive information security practices, procedures, and controls must be a part of every healthcare organization’s operational strategy. It is non-negotiable, as human lives are literally on the line.”

Mackenna Moralez is the assistant editor of Healthcare Facilities Today.




See the latest posts on our homepage Share

Topic Area: Information Technology


Recent Posts
Recent Posts

How Can FEMA Help Hospitals Mitigate and Recover from Disaster?


Following disasters, FEMA will reimburse 75-100 percent of costs for services such as debris removal, overtime pay, and infrastructure repairs

11/29/2021

Advance in Thermal Energy Storage Shows Promise


Breakthrough could play major role in decarbonizing buildings

11/29/2021

Alabama Hospital Authority Breaks Ground on New Facility


Hospital set to open in 2024 will include 412,000-square-foot, nine-story hospital with 200 beds

11/29/2021

Landscapes Become Focus of Climate Change Strategies


Survey finds growing demand for landscape planning and design solutions to climate change

11/24/2021

Ramping Up Foodservice Operations for a Pandemic


Ochsner LSU Health Shreveport overcomes daunting obstacles and challenges to accommodate rapid increases of COVID-19 patients

11/24/2021





Post Comment




FREE
NEWSLETTER

News & Updates • Webcast Alerts • Building Technologies

All fields are required.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.