7 Ways You Can Protect Your Quality Data from Cyber Attacks
Cybercriminals want what you have: patient health information. But there are ways you can protect your quality data from ransomware and other cyber attacks, according to Medisolv’s Phil Holmes.
Another week, another data security breach at a hospital or health system. Not only is immutable information (such as name and date of birth) valuable to cybercriminals; they also recognize how valuable that information is to the victim. The task of protecting your quality data may seem daunting given what’s at stake, but simple measures can protect yourself, your quality reporting responsibilities, your patients and your patients’ health data.
In this post, I’ll explain why hackers want what you have and how, if successful, they can affect your job. I’ll also outline some practical steps you can take to keep cyber attacks at bay and minimize the damage they might cause.
Cyberattacks Put Quality and Safety of Care at Risk
First, let’s take a brief look at the current level of cybersecurity threats facing your hospital or health system. This comes courtesy of a new survey from the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).
CHIME and AEHIS surveyed 60 chief information security officers (CISOs) who are members of either organization. Here’s what they said:
- 67% said they had a cybersecurity incident within the past 12 months
- 30% said a cybersecurity incident resulted in an EHR system outage
- 15% said they experienced an adverse patient safety event tied to the cybersecurity incident
- 10% said they had to divert patients to other care settings because of the cybersecurity incident
It’s clear from the CISO survey that the work of cybersecurity criminals can directly affect your work as a quality leader at a hospital or health system.
Why Cybercriminals Covet Patient Health Data
There are two reasons your stock and trade—patient health information—is so valuable to hackers.
The first one is permanency. Unlike your credit card number or phone number, we can’t change our Social Security numbers or names, which are parts of our medical records. Armed with this information, a cybercriminal can commit identity theft, allowing them to take out loans or credit cards in the victim’s name.
The second reason is the data’s value to the victim. Your hospital or health system needs access to patients’ health information so clinicians can provide safe and effective care. You need that data to fulfill your quality reporting responsibilities to CMS and other payers. Your hospital or health system also needs it so it can bill payers for services rendered. That all means that your organization would be willing to pay a hefty sum to get that health information back quickly. Cybercriminals know that, putting what you have at the top of their list.
Perhaps of most concern to you is the prospect of losing access to patient health information due to a ransomware attack. No matter if you lost access for 24 hours, a day, a week or a month, it would have serious consequences for you and your quality department. Your clinicians wouldn’t have the data they need to diagnose and treat patients. You wouldn’t have the data to build quality measures to submit to payers or accreditors. You would lose trend data to feed your quality-improvement programs. And if you got your data back, you wouldn’t know if its integrity was intact, which would soak up additional resources to rectify.
Seven Ways You Can Protect Your Quality Data
Given the consequences, it’s up to you and your quality department to do whatever you can to prevent a cybersecurity attack. Your department is particularly vulnerable to attacks because it spends most of its time on computers, which are the front doors to most hackers. What can you do? Here are seven recommendations.
- Regularly audit your data security processes to ensure that everyone in your department is following established protocols for protecting and security patient health information and your quality data.
- Regularly review who has access to patient health information and quality data in your department. Access should given to the appropriate people and limited to the data that those people need to do their jobs. If someone leaves your department, shut down their access.
- Regularly train, educate and test your quality staff on how to recognize phishing emails and social engineering, which is when a criminal tries to gain access by pretending to be someone else through an email, text or even a phone call.
- Stay up to date on the latest cybersecurity threats and communicate them to your quality staff. The CHIME/AEHIS survey said the five biggest current threats are: phishing/email compromise; malware; ransomware; hacking; and insider threats. The five emerging threats are: Internet of Things/connected devices; increased remote workforce; supply chain; third-party consumer health apps; and API security.
- Make cybersecurity part of your workplace culture. You’re not just checking a box to say that your team has successfully completed its annual cybersecurity training. You as a quality leader or director must take an active role and set the tone for your department. For example, you should update your regular training, education and testing for the latest types of threats.
- Revisit processes, protocols, access, training, education, testing and threats with every change in your quality department. That could be a new EHR system, new software or software upgrade, a newly connected device or IT system or a new workflow to collect and submit an eCQM. Every change can create a new security gap that you need to fill.
- Ensure vendors are following proper security procedures. Vendors are also susceptible to cybersecurity incidents, and PHI can be lost or leaked through them. It’s crucial that quality providers ensure their vendors have adopted a common security framework, like Medisolv has with HITRUST.
Loop in Your Disaster Recovery Team Immediately
Obviously, no matter how much training you do, how many processes and protocols you follow and how strong your data security culture is, your patients’ data is still at risk. But knowing that is a strength.
Your hospital or health system should have a disaster recovery team in place, and you should notify that team immediately of a cybersecurity incident. Any delay is likely to inflict more damage to your organization’s IT infrastructure. Ideally, the disaster recovery team regularly tests its processes and procedures so that data recovery occurs with minimal delay when a breach does occur.
Securing and protecting your quality data is the responsibility of everyone in your hospital or health system—including you. By following the recommendations above, you can meet that responsibility and continue to provide the optimum level of care to your patients without interruption
Related: Learn more about the data privacy and security features embedded in ENCOR, Medisolv’s quality-improvement software platform.
Phillip Holmes is the Director of Security and Privacy at Medisolv, Inc.