Healthcare Data Security: Manual Incident Response is Not an Option

Guest post by Dave Willsey, CEO and co-founder, Integrify.

David Willsey
David Willsey

Data security is a top concern of every healthcare provider today. And for good reason. A recent news story from The Wall Street Journal reported that healthcare is “frequently cited as one of the industries most exposed to cyberattack due to large networks with numerous access points and vulnerable, legacy computer systems.”

If there is an industry more vulnerable to hackers today than healthcare organizations, you’d have to search far and wide to find it. Healthcare hacking is a growing problem.  It is a trend that will not change course anytime soon.

Unfortunately, hospitals and other providers present a target rich environment for criminals and malicious hackers. And, to make matters worse, a recent study by researchers at three leading universities concluded that additional threats are coming from within “the house” as clinicians and other staff are taking shortcuts and finding workarounds to security measures in an attempt to deliver better patient care.

The federal government response to this growing threat is two-fold: mandatory reporting of data breaches and financial penalties that sting when violations of protected health information occur.

When it comes to reporting and ensuring continuous improvement to guard against future risk to data security, the number-one best practice today is a well-conceived, executable and automated incident response plan (IRP).

The good news is seven-in-ten providers have an IRP in place. The not-so-good-news is most of those plans are based on manual, labor intensive, error-prone processes. What’s needed to step-up the game for healthcare providers is an automated IRP workflow process. Automation is the only way to protect your data as the threat continues to evolve in the future.

Secure data and information is the chief reason to automate IRP workflow. But ROI is another major business driver to invest in automation. Here’s why – you’ll get quick payback from more accurate information about threats and breaches sooner in the process before they get out of hand; your teams will be able to execute with rapid response times that lead to fast resolution when compared to manual processes; and, finally, automation will bring your leadership team and other key stakeholders a unique capability to apply analytics and intelligence to support and measure continuous improvement in critical processes against future threats.

Automated IRP can provide all users with a simple incident reporting tool across the healthcare ecosystem – if a doctor or nurse or someone in the pharmacy formulary, for example, notices a potential security issue, that user can immediately trigger an automated IRP process. This action would notify the front line responder teams who can then escalate a response if needed.

Effective incident response planning addresses three key areas – people, process and data. With people, it’s very important that the roles of each person handling patient data are well identified and this would include all clinical staff, billing and administrative personnel, insurance agents, IT personnel, outside vendors, contractors, and others.

When it comes to process, precisely articulating workflow is vital and this includes, as an example, workflows tied to patients entering the ER and the processes for admission, for diagnosing, and for discharging. Also identifying who is inputting information into the system and how is that information protected.

Finally, you need to segment different classes of data across the ecosystem. This would include ‘data in motion’’ that is moving through a network, including wireless transmission, whether by e-mail or structured electronic interchange. Also, ‘‘data at rest’’ that resides in databases, file systems, flash drives, memory, and any other structured storage method and ‘‘data in use’’ that includes data in the process of being created, retrieved, updated, or deleted. The final class of data that the Department of Health and Human Services referenced in the IRP is ‘‘data disposed’’ which would include discarded paper records or recycled electronic media.

One final thought about what it takes to succeed in today’s higher risk environment. A shift in mindset and culture is paramount. Whatever you have in place today when it comes to protecting patient information and data security is not going to be enough in the days ahead. The bad guys are always probing, testing, and looking for ways to exploit the system. And the good guys – your team and your colleagues – are inventing their own ‘homegrown’ workarounds in an effort to simply figure out ways to better serve patients without the perceived hassle of layer upon layer of security.

The shift that needs to occur is going from one that says we’ve put an IRP in place, now let’s move on.  Privacy and security are a process; not an event. Budgets need to reflect this reality and adjust to the growing threats out there in the world. Investment and continuous improvement are required.

No one can afford to get hacked or compromised today. If you and your team share this outlook, then it becomes a priority to invest in tools, such as automated IRP workflow, to step-up your response to growing threats to your data security.

Write a Comment

Your email address will not be published. Required fields are marked *