March 23, 2016
In the last month, at least four U.S. hospitals — and their thousands of patients and employees — were victimized by major cyber attacks. Malicious hacks into York Hospital in Oregon, Saint Joseph’s Healthcare System in New Jersey, Methodist Hospital in Kentucky and Hollywood Presbyterian Hospital either held hospitals hostage, or enabled broad access to the most private information and even wages. Hollywood Presbyterian hospital paid $17,000 to regain access to their EMR after hackers locked them out for 10 days. The initial cash demand was for $3.5 million. Next time that hospital may not get off so easily. Nor the hospital 100 blocks or 100 miles away.
Hospitals that have not beefed up their IT security recently or have no plans to do so are clearly in peril. Read on to learn more and download our special guide: “For Security’s Sake: Implementing a Risk Management Program.”
Recent estimates are that at least one health care organization a month will be affected by cyber crime, but as of 2016 that number is starting to look way too conservative.
Information security is a devious specter in hospitals; it hovers over every IT decision that is made, but is rarely central to those decisions. Why not? The consequences — major breaches in the security of protected health information (PHI) — are real and numerous.
General lack of awareness or concern within senior management about security risks — including cyber attacks — frequently keeps security improvements off the executive budgeting radar, even though implementation of sophisticated EHRs requires sharing more PHI than ever before.Your hospital’s security prognosis is uncertain unless you have a strong, sustainable security management program in place.
In many hospitals, EHRs and other IT costs are perceived to be so high that CIOs are not provided with sufficient budgets for needed related security upgrades. This problem is exacerbated when CIOs and IT staff do not have specialized security expertise or knowledge of security requirements to make appropriate recommendations. Inadequate spending on security directly contributed to a mammoth uptick in security breaches in 2015. Our recent FFAQ about healthcare’s “Wall of Shame” provides the gruesome details.
As your hospital moves further through Meaningful Use / MIPS Stage 2 towards Stage 3, it is required to build and maintain a tight security environment. HHS pumped up HIPAA privacy and security requirements in late 2013 with the Omnibus HIPAA Rule. Yet 2015 was the worst year ever for massive security breaches in healthcare and 2016 is already alarming. OCR’s Phase 2 of the HIPAA Audit program is underway and specifically targets risks to protected health information (PHI), along with “pervasive non-compliance” by covered healthcare organizations.
Nearly 95% of U.S. healthcare organizations have reported some form of security breach. According to a report by Grand View Research, the overall impact of cyber attacks in particular on hospitals and healthcare systems is nearly six billion annually and growing. Patient medical and insurance records are the key targets of these such attacks.
In order to provide an effective, sustainable security environment, two core security management processes are required — risk analysis and risk management. Regular risk analyses are required by both HIPAA and Meaningful Use / MIPS. But by itself, a risk analysis doesn’t add to your security unless it becomes the foundation of the second core security management process – risk management.
Risk management is a straightforward and systematic process – it requires addressing the priorities identified in your risk analysis with a road map for security that is tailored to your particular organization, its objectives, its risk tolerance, and its financial realities. Risk management is an extremely cost effective process, even if you involve external help to guide you (which may be necessary if strong security expertise isn’t available in house). Your risk management program will not only ward off potential security breaches, but also will help to guard against expensive knee-jerk decisions that could occur if security around planned IT initiatives hasn’t been considered early on.
Security is two things: an organizational decision and a systematic, educated process. We have developed a guide focused on conducting a proper security assessment and using its results to decide on effective security management program specific to your organization.