Written by Shon Barrier, Vice President of Research & Development
During our second iatricSystems Fall Exchange, we brought together industry leaders and healthcare organizations to discuss today’s challenges, including the current threat landscape and how to protect your organization from internal and external threats.
One highly attended session was The True Cost of a Data Breach and How Investing in PHI Protection Pays Off. We spoke with Andrew Hunter, Senior Cybersecurity Advisor at Field Effect, and Brandon Tiller, Privacy and Security Integration manager at iatricSystems, about overcoming current challenges to protect PHI. The discussion evolved into an interesting conversation as our experts tackled some tough questions and shared best practices from both the internal and external perspectives. Here’s a quick recap of some of the session highlights.
In 2020 we saw a shift in the cybersecurity world. What was once thought to be an unspoken truce with hospitals, ransomware attacks on the sector began to rise at an alarming rate – and it continued through 2021. When asked about the current threat landscape, Andrew responded, “The threat-level is certainly increasing. There are more zero-day vulnerabilities discovered at a greater pace than ever before.” He also shared a new perspective that as technology improved to combat cybercriminals, we are likely uncovering more breaches that would have gone unnoticed otherwise.
Brandon added, “Even though outsiders commonly perform cyberattacks, it’s essential to inform and train your employees to stay alert. For example, be careful not to click on links or attachments from suspicious emails as they can be phishing attacks. Also, be aware that insiders themselves are potential threats. Unauthorized access – intentional or unintentional – is still a great concern. Many sources claim that insider threat is the number one cause for the majority of data breaches in healthcare.”
When asked about what lesser-known threats impact hospitals, Andrew mentioned extortionware. “Rather than encrypting data and holding it hostage to the user, threat actors are simply exfiltrating data, and threatening to release it to the media, the dark web, or an organizations clients, partners or patients.” This happened at a mental health facility in Finland, where actors extorted the clinic and followed up with their patients. This is some of the most personal data – patient records – possible.
Brandon also explained that the popularity of telemedicine is going to increase next year. “Along those lines, we continue to see more health-related technologies becoming more common and used. From Fitbit to Apple watches, and the many apps we have on our smart phones, health data has extended beyond the boundaries of a hospital or clinic. As technology continues to advance, our laws and regulations must address these areas of concern quickly. HIPAA is quite outdated and other laws and regulations often fail to answer these gray areas properly. This is why it is important for healthcare organizations to regularly audit their business associates.”
With new technologies posing threats and hackers becoming more sophisticated, breaches have become increasingly difficult to prevent. We asked Brandon what happens after a breach. “You will typically fine the amount of monetary damages in fines, and fees in articles. But what most reports fail to recognize is the loss of trust from patients – which is far more valuable and much more difficult to win back.” Andrew adds that during a breach, “emotions are high, communications systems may be down, and there is panic. The best thing you can do is prepare now.”
Yet, both Andrew and Brandon want to remind us that it’s not all doom and gloom. With the right preventative measures and investment in patient privacy, most breaches can be avoided. One tip from Andrew is to create an incident response plan before there’s a breach, get some help from experts and go through this planning exercise today. Branded added that artificial intelligence could also help. Brandon mentioned, “We [iatricSystems] now offer the solution AVA, that incorporates AI into our privacy monitoring solution. This increases the accuracy of identifying inappropriate access, while helping the privacy team reduce their investigation workload.”
So, whether you’re looking to bolster your defense against external threats, or improve patient privacy monitoring through automation, iatricSystems and our partner Field Effect have the resources you need to protect your organization from inside and out.
If you’ve found this information educational and want more, we encourage you to watch the full, on-demand session. If you’d like additional information about how to better protect your PHI, you can email us at info@iatric.com.
