IT Insider Blog

After spending years analyzing data security and compliance for healthcare providers we have noticed it’s always the administrators we work with that may all be but unaware of the reasons why so many of their staff are circumventing the very policies meant to protect themselves, their patients, and the entire hospital network. These actions further weaken defenses against cyber threats and increase the likelihood of a compromise with protected data.

Internal IT remains as a critical role to the success of healthcare organizations. Evolving technology and the widening gap of responsibilities place excessive burdens on the IT department. Healthcare IT departments have moved well beyond solving daily technology problems to help shape executive decisions around areas of finance/budgeting, data security, regulatory compliance, and more. This unique development of the IT engineer’s role has brought them up from the proverbial basement to the C-Suite as technology now intersects with all other aspects of business operations. The quick evolution of the IT role has undoubtedly created a winding path for technology professionals to try and adapt their skill-sets to include a wider range of organizational responsibilities. Executives find it challenging to know what gaps exist between technology operations and business operations and how to reconcile the two. Addressing these challenges will often require more of a collaborative approach which creates long term stability in the IT department and supports business objectives.

Jill is the administrator for a 25-bed rural hospital in a remote part of Texas that receives patients from almost an hour away in every direction and serves as the counties only hospital. A discussion with Jill around cybersecurity practices provides insight into the various reasons why administrators may not be aware of the danger that lies just beyond their firewall. Surprised by the implications of her internal network password policies not meeting standards, Jill states “Our hospital is one of the most remote in the state, how and why would we be targeted by hackers?” She is not alone in thinking that her geographical location will diminish the odds that their facility will be vulnerable to a cyber-attack.

It is common for healthcare executives to report that securing their data is mainly focused around meeting compliance objectives so they can qualify for federal incentive programs. While participation in incentive programs is meant to increase meeting compliance objectives, they simply fall short in addressing the nuanced individual business practices that fall outside the scope of compliance measures. Compliance standards in and of themselves do not provide detailed guidance or a methodology to ensure protection of ePHI data.

As the number of compromised ePHI data continues to rise, healthcare providers are not waiting around to try and identify risks. 31,611,235 healthcare records were breached in the first 6 months of 2019, which is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). – According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, cites HIPAA Journal.

E-mail is a pervasive target for hackers to exploit in healthcare and the problem is predicted to get worse. A 2018 HIMMS and Mimecast survey revealed that 87% CIO’s and IT directors surveyed believed that e-mail poses the greatest venerability to exploitation by hackers. E-mail’s sent by nefarious sources can cleverly deceive end users by looking legitimate and can contain links with embedded malware, viruses, and ransomware and all it takes is 1 click for an organization to be compromised.