In recent years, professionals in the healthcare and financial services industries have been bombarded with stories in the media on the latest data breach. Typically, these stories detail instances where loss of billing information or clinical records have resulted in reputational damage, financial penalties, or a situation where customer trust is no longer present.
Unfortunately, it’s not a scare tactic by the cybersecurity industry to generate revenue. The threat is real, as there are many surveys and studies indicating that both industries are attractive targets for hackers seeking financial gain. This is achieved by using ransomware, phishing emails, social engineering (where the user is hacked to identify passwords) or using the gathered data for identity theft.
[click_to_tweet tweet=”Healthcare organizations take an average of 55 days to detect a breach and an average of 1,037 days to contain it.” quote=”…healthcare organizations take an average of 55 days to detect a breach and an average of 1,037 days to contain it.” theme=”style3″]
According to a recent study from IBM Security and the Ponemon Institute, the cost of a data breach per stolen record continues to rise from $380 in 2017 to $408 in 2018, a higher cost than any other industry. Becker’s Hospital Review refers to the same report, pointing out that healthcare organizations take an average of 55 days to detect a breach and an average of 1,037 days to contain it.
Obviously, with stats like these, vast improvement is needed. Patients expect their billing and clinical data to be protected. It is the responsibility of every practice, clinic and doctor to ensure that cybersecurity and data protection are integral parts of every process where personally identifiable information (PII) is used.
[[ Concerned that your healthcare practice’s IT may not be in HIPAA compliance? Download our free 37-point HIPAA IT Compliance checklist!]]
This is often easier said than done. Many smaller organizations rely on a ‘local IT guy’ for all their technology needs. Healthcare professionals are in the business of saving or prolonging lives and not always familiar with IT infrastructure configuration. For many, retaining a dedicated on-site IT team is not possible due to budgetary constraints and if they do have an in-house team, it rarely has the specialized security, compliance, and data protection expertise common to larger organizations.
Today’s technology landscape has created a plethora of potential threats and healthcare organizations and service providers, regardless of size, need to protect themselves. Let’s look at some of the daily workload currently assigned to IT.
Balancing Compliance and Day to Day Activities of the IT Team
Digital transformation is rapidly becoming the norm and paper-based documents are often only retained to satisfy regulations in some jurisdictions. Therefore, IT’s role has grown substantially, as computer systems are needed to run the business. Whether it’s scanning documents to digital formats, email, internet, smartphone apps, social media, practice management, x-rays, remote health monitors, setting appointments, teleconferencing, record storage, or billing, IT is involved every step of the way.
It’s certainly worth noting that for every additional feature in a practice, cybersecurity risks increase. The type of hardware and software used are each vulnerable to attack by savvy hackers if potential avenues of attack are not closed promptly. If software is installed by users without IT authorization (also known as shadow IT), it makes it much easier for hackers to gain access to the network.
In healthcare, compliance is also a requirement, with HIPAA (to protect patient data) and PCI-DSS (to secure credit card data) the primary concerns. Unfortunately, being compliant with both standards is no guarantee that your network and related data is secure. Without experience in healthcare processes and awareness of the resulting paths traveled by data, IT cannot effectively enhance security.
Healthcare IT Needs
Therefore, hiring a local service company, based solely on perceived convenience, can cause problems for a healthcare practice or clinic. Your ideal IT solution will satisfy all the following requirements:
- Has intimate knowledge of practice management and related processes and procedures–process optimization is not possible if IT does not understand the business, automate manual tasks where possible, and secure data every step of the way.
- Understands regulations and standards, especially HIPAA and PCI-DSS.
- Is qualified in IT and has technical services such as a remote helpdesk and network operations center (NOC) where network control/monitoring is performed.
- Is qualified in Information Security. Essential qualifications include CISSP (Certified Information Systems Security Professional), SCCP (Systems Security Certified Practitioner), and/or Security + (a CompTIA certification that proves competence in identifying and solving security threats).
- Can provide onsite users with security awareness training to prevent common threats. Releasing updates as new threats are identified is also recommended.
How likely is it that a small team has all the above expertise? Quite unlikely, especially if a smaller organization is involved, considering that yearly salaries for a team of this type are often high. This is the reason selective outsourcing is an attractive option.
Our support team has two separate departments, one for IT/Technical Services including remote helpdesk and the other defined as professional services, covering all areas of information security. This structure is different from most MSPs (managed service providers) who have the same engineers covering both IT and Information Security. We believe our approach to be more effective.
Managed vs Un-managed Support
It makes financial and operational sense to retain a managed service provider in areas outside your core area of expertise, especially when that core area involves healthcare. The benefits to your practice or clinic include but are not limited to:
- Saves money and time. Consider the annual salary cost of an onsite IT team and overtime costs for after-hours activities.
- Allows practice to focus on core expertise of saving and prolonging lives.
- Ensures compliance with relevant regulations and standards.
- Offers a complete solution in multiple disciplines with dedicated resources for data protection and IT.
- Offers a custom solution for each client, depending on activities and existing technology.
- Prompt installation of patches and security updates.
- Infrastructure analysis (mobile, IoT devices), data access and permission controls, cyber protection, and threat awareness and penetration testing.
- A plan for disaster recovery and business continuity in the event of a breach.
- Staff training for security awareness that educates on Human Error and Risk Management.
The last is a key concern as human error is a primary factor in data breaches, with a recent Verizon study, “2017 Data Breach Investigations Report”, confirming that 58% of data breaches in healthcare are caused by insiders. Shadow IT is a key example where insider threats can cause a breach.
In conclusion, healthcare organizations have much to deal with in their business activities. Add the constant threat of data breaches or the resulting penalties and reputational damage if a breach occurs and it makes sense to consider outsourcing some expertise that is currently lacking.
Wary of sales staff and their pitches? We approach things a little differently.
Discuss your organization’s objectives with our Director of Information Security. No sales staff and no sales pitch, just a free no-commitment consultation with a technology expert that knows your industry.
Contact us today to schedule your free consultation.
And if you found this blog helpful, please “Like It”!
All the best to you,
Victor