Carla Smith looks at the various cybersecurity risks that exist across the US healthcare continuum and the steps that executive leadership can take to combat this threat.


Keeping patient data safe and secure remains a challenge. Thanks to a 9-year review of experiences in the United States, we know that between 2009-18,

  • There were 2,546 healthcare data breaches involving more than 500 patient records

resulting in

  • 190 million healthcare records stolen or exposed

a number representing

  • Nearly 60 percent of the population

The summary? In 2018 alone, healthcare data breaches were reported more than once a day.

With 2019 in its final quarter, let’s be clear about what execs need to do.

Bottom Line:

Breaches are bad for business, and potentially fatal for patients. Cybersecurity is a serious business issue; breaches cost health organizations millions in expenses and lost revenue, erode patient trust, and put patients’ lives at risk. Executives must understand privacy and security and use that knowledge to provide effective guidance to their teams.


Privacy and security are not the same thing

Security of patient health information (PHI) are those mechanisms in place intended to ensure that patient data is only accessible to those with permission to view, amend, transmit, and use it. In the United States, those mechanisms are controlled through the HIPAA Security Rule.

Privacy of patient data comes back to the patient who decides when, how, and with whom to share. The privacy of health information is controlled most often through policies and procedures; for example, the US HIPAA Privacy Rule.

Resources for executives:

There are a handful of highly credible and understandable sources for healthcare execs. For example, in August 2018, the UK’s NHS published its Information Security Policy. In the US, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity provides the structure and guidance health care executives need to understand and direct the implementation of effective steps to mitigate cybersecurity risks. Introduced in 2014, this voluntary framework, now mandated for all U.S federal agencies, involved a year-long collaborative process of industry, academia and government agencies. Additional resources appear on the NIST website. And, in January 2019, the Department of Health and Human Services published Health Industry Cybersecurity Practices as guidance to manage risk and protect patients.


Know where data resides

How people access data depends on multiple factors. For example, three pieces of information – ZIP code, gender, and birthdate – can identify 87 percent of the US population.

When it comes to knowing where data resides, 50 percent of responding health care organizations have more than 50 different data sharing agreements, according to results from the 2019 Integris Software Healthcare Data Privacy Maturity Study. In addition, while respondents indicated they knew where sensitive data resides (70 percent), only 50 percent said they update the inventory of personal data each year – or less.

The pervasive use of Picture Archiving and Communication System (PACS) means stored digital images, rather than film viewed on a light table, are easily accessible, often via the radiology department.

In September, journalists at ProPublica delved into the accessibility of patient records on the internet via 200 unprotected servers. Around the same time, the National Cybersecurity Center of Excellence (NCCoE) at NIST released a proposal addressing the challenge of securing PACs, aligning with industry and the IT community. The proposal included companies developing cybersecurity solutions. The long-term outcome of this project targets improved and more secure PACS solutions.

Bottom line:

Actionable solutions for protecting and accessing PACS and other electronic patient data demands a consistent and collaborative effort that is reviewed and updated as technologies change. Executives must insist upon consistency and collaboration.

Resources for executives:

PACS, Cybersecurity for the Healthcare Sector, published by NCCoE and NIST in September 2019, is a public-private practice guide that “demonstrates how an organization may implement a solution to mitigate identified risks…”


Cybersecurity training for current staff

Training staff on compliance protocols for accessing electronic patient data seems such a basic priority in a health care setting. Yet, many data breaches result from human error.

The 2019 MidYear QuickView Data Breach Report found across all industries as of June 30, 2019, some 3,800 publicly disclosed breaches resulted in in 4.1 billion compromised records. The numbers are staggering, but the human error factor is even more revealing. The culprit for these breaches: email (70 percent) and passwords (65 percent).

Bottom line:

Senior leaders of healthcare organizations must prioritize and budget for staff training at all levels. These steps require a commitment to excellence and recognition of evolving data hacking practices, and ongoing budgets to make it possible for effective staff training to occur.

Resources for executives:

The National Initiative for Cybersecurity Education Cybersecurity Workforce Framework offers an established taxonomy and common lexicon for cybersecurity work and workers as a resource that can “help strengthen the cybersecurity posture of an organization.”


October Is National Cybersecurity Awareness Month

National Cybersecurity Awareness Month (NCSAM), held every October, brings together government and industry to raise awareness about the importance of cybersecurity. The NCSAM 2019 message – Own IT. Secure IT. Protect IT. – focuses on managing cybersecurity at home and in the workplace in the areas of citizen privacy, consumer devices, and e-commerce security.