Safeguarding Patients and Data in the Evolving Healthcare Cybersecurity Landscape

By November 28, 2016Health

As the healthcare system becomes increasingly electronic, it is necessary to examine the security measures that are in place to safeguard patients and their data. Not only are medical facilities and hospitals now using cyber information networks to communicate, medical equipment and devices are also linked to the web, and patient information files filled with confidential information are stored on computers and transmitted electronically. So what exactly is cybersecurity as it relates to safeguarding patients and their data in the healthcare system? First, it is important to distinguish between privacy and confidentiality. Privacy is defined as the right to both keep personal information from others as well as the right to determine how, why, and with whom personal information is shared. In contrast, confidentiality is the obligation to respect the privacy of patients. Violation of confidentiality can occur when private information is shared with others without patient consent. Unfortunately, hospitals, patients, medical device manufacturers, and more specialized service providers such as anesthesia management companies are all at risk of cyberattacks and thus focus must be put on safeguarding measures to protect patients and data.

In August 2016, an Arizona anesthesia services group notified over 880,000 patients of a potential data breach of protected health information. As is the case with many “potential” breaches, there was no evidence that the data on the computers had been accessed, though such access could not be ruled out as there was evidence that an individual had accessed a system that contained protected health information. The computer system that was accessed included patient names, limited clinical information, health insurance information, and some social security numbers. This cybersecurity breach of an anesthesia services group’s system is not unique among healthcare data systems. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data conducted by the Ponemon Institute revealed that of the 91 healthcare organizations studied, over 90% had a data breach in the past two years and 45% had more than five data breaches. Additionally, the average cost of a healthcare organization data breach is over $2.2 million dollars.

Protected health information is not the only aspect of the health system that is vulnerable to cyberattacks. A two year study found that many types of medical devices, including drug infusion pumps, Bluetooth-enabled defibrillators, certain x-ray systems, and refrigerators storing key medical supplies, among others, can be hacked and manipulated by those with malicious intent. The study concluded that many hospitals are “unaware of the high risk associated with these devices […and] aren’t doing the testing they need to do”. The FDA and DHS have taken notice of this problem, issuing a warning to the health care industry about issues with devices including ventilators, pumps, defibrillators, and surgical and anesthesia devices, noting issues with hard-coded passwords in the devices. However, the one positive finding of this study involved ventilators and anesthesia equipment: while they might have security problems regarding passwords, they are generally not part of a cybernetwork and do not allow web access, making them more secure than other devices. However, the question of protection still remains: what can be done to help safeguard patients and data?

It is clear that the gaps in cybersecurity need to be closed in order to best protect patients and data in the healthcare system. Schumer Clinical Partners recommend ten different ways that hospitals can help safeguard their data, including establishing a security culture, protecting mobile devices, using a firewall, installing and maintaining anti-virus software, using strong passwords and changing them regularly, limiting network access, and controlling physical access. Another key aspect of keeping patients and data secure is having a plan for when the system is hacked. This way, healthcare organizations will know how to proceed in the event of a data breach and hopefully thwart the malicious attack quickly. Hospitals and health care providers need to work with manufacturers and medical providers such as specialized anesthesia management companies and ambulatory surgical centers to be sure that all parts of the system are secure with upgraded security systems and that everyone is using the tightest security protocols. These are just a few of the steps that must be taken to ensure that patient information and medical data are secure. Cybersecurity is of the utmost importance in this increasingly electronic and online healthcare system and thus must be thoroughly examined and implemented to ensure the highest levels of security possible.