6 ways hospitals can ease patients’ fears about security threats

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.beckershospitalreview.com/healthcare-information-technology/6-ways-hospitals-can-ease-patients-fears-about-security-threats.html

Data and technology have become integral parts of healthcare. They work
together to offer physicians a timely and precise glimpse into patients'
personal health.

They allow physicians to consult with patients and fellow doctors around
the globe. They allow medical records to be transferred and accessed with
the touch of a button. But they also make patients — and healthcare
facilities — vulnerable to cyberattacks.

New data breaches are making headlines every few days, affecting thousands
(if not millions) of American consumers. And the latest trend of
cybercriminals stealing personal information from insurance companies and
healthcare facilities has consumers more concerned than ever. It's no
wonder patient trust in healthcare security standards has taken a major hit.

If not improved, this distrust can have a significant impact on an
organization's bottom line and, ultimately, its long-term success. Because
healthcare isn't parting ways with data and technology anytime soon, it's
vital for facilities to find other ways to improve hospital-patient
relations and calm the fears of their concerned patients.

Where the data revolution and security collide

Technological advancements and data breaches practically go hand in hand.
While technology becomes more intuitive and practical, personal information
becomes more vulnerable and valuable. And no one is storing more personal
information than doctors, hospitals, and other healthcare facilities.

In early 2014, the FBI sent private messages to healthcare facilities,
warning that they were particularly vulnerable to cyberattacks due to
lenient security measures and the increasing value of personal health
information on the black market. This message forewarned what has and will
continue to be a growing concern in data security.

Last year alone, the healthcare industry suffered 322 data breaches,
accounting for nearly half of all incidents in 2014. One major breach was
through Community Health Systems — a network of 206 hospitals spread
throughout the U.S. — where 4.5 million names and Social Security numbers
were stolen. Earlier this year, Anthem suffered a massive data breach that
could affect as many as 80 million customers.

So what makes the healthcare industry such a desirable target for
cybercriminals? The answer is simple: accessibility. Facilities are
gathering and housing more data than ever before. And the security
standards and infrastructures of most organizations aren't keeping pace.
The growing popularity of medical gadgets, healthcare apps, and electronic
health records are further contributing to this data vulnerability issue
because they're often improperly monitored and secured. In many cases, data
is still just too accessible to outside sources.

The harmful effects of security concerns

Typical data breaches are scary enough, but when confidential health
records are compromised, it's an invasion of privacy on a whole new level.
Suddenly, consumers are also concerned about their identity being stolen,
personal information being viewed by strangers, and private medical
conditions going public.

That's exactly why patients are beginning to give serious consideration to
the reliability of their healthcare providers' data security
infrastructures. In one survey, 76 percent of consumers reported being
worried about the safety of their medical data. Another recent survey
revealed that only 43 percent of surveyed patients thought their healthcare
providers were adequately protecting patients' electronic information.

This lack of trust can have huge consequences for healthcare providers. For
one, it can make doctor-patient communication even more difficult.
Fifty-six percent of surveyed consumers reported that their privacy and
security concerns would determine whether they "tell their doctors
everything." In a field where communication really can be a matter of life
or death, trust and honesty are vital.

The level of trust patients have in a healthcare facility can also directly
affect the organization's bottom line. Patients aren't willing to hand
their private information over to just anybody; they must feel like the
facility is secure and the workers there are trustworthy. If there's any
doubt about an organization's level of security, patients will look for a
different care provider. Data breaches and even small slipups can generate
enough bad press to send potential patients — and their money — straight to
competitors.

Luckily, healthcare facilities can combat declining trust by establishing
an organization-wide policy of transparency and open communication.
Transparency helps eliminate the unknown elements of healthcare that cause
existing and potential patients great concern. It helps patients understand
the measures that are in place to protect them and their data, putting
their minds at ease. And transparency empowers patients to talk openly
about their health and ask questions about how their data is being used,
stored, and protected.

But there's more to becoming a transparent organization than sharing the
news during consultations or sending out a few newsletters. It requires
facility administrators and staff to implement a series of changes that
inform patients that their data is being protected and to actually protect
it.

Boost patient confidence in your facility

Healthcare facilities are challenged with not only securing the growing
amounts of data collected every day, but also reassuring patients that
their data is safe. To achieve both goals, administrators need to:

1. Become a transparent organization. For patients to feel more confident
in sharing personal information, they must understand the purposes behind
data collection. Be open about the following data practices:

- Why patient data is being collected
- How it's being used to improve patient health
- What's done with information after it's collected — specifically, where
it's housed, how long it's kept, who has access to it, and whether patients
can access it themselves
- What's being done to keep up with changes in data, technology, and
security

2. Communicate security measures to patients. Getting more patients on
board with various data gathering and analyzing methods like EHRs takes
more than a signature on a waiver. Patients should also be informed of the
security practices that are in place to protect their information. Let
patients ask questions or voice concerns. Respond with reassurance, and
explain the ways these technologies not only help healthcare professionals,
but also benefit patients by improving the overall quality of care.

3. Emphasize employee education. An organization is only as secure as its
weakest link, which is why employees are often involved in data breaches.
Employee education should always be a major part of transparency and
security improvements. Personnel should not only understand which types of
information to protect, but also why and how to protect it. Emphasize ways
to avoid employee-targeted attacks — like phishing and social engineering,
for example — so employees don't fall victim to scams.

4. Establish strict behavioral policies for personnel. Set up policies for
privacy safeguards, security safeguards, and password management to help
personnel remember to protect patient and hospital data at all times.
Outline rules for keeping confidential information and records from being
leaked, sharing or posting staff user IDs or passwords, keeping devices
safe from both physical criminals and cybercriminals, and creating complex
passwords. Then, establish disciplinary actions for repeat infractions.

5. Invest in new security measures. Because technology and security are
constantly evolving, hospital infrastructures should be, too. Test new
technologies that limit the damage of attacks — like those that segregate
networks — and adopt what works best. Secure wireless networks to protect
from hackers, encrypt portable devices so data won't be accessible if
devices are lost or stolen, and replace outdated technology with more
modern, secure versions.

6. Develop data security and breach response policies. Having policies in
place will ensure that everyone throughout the organization is on the same
page about security standards. The policy should cover things like mandates
for the deletion of patient and organization information, audits of stored
information, and the process for vetting third-party vendors. It should
also outline a plan of action in the event that a data breach does occur,
highlighting how each department should respond to minimize damages.

Administrators at hospitals and other healthcare facilities are still
learning how to grow and adapt to the data revolution. It's taken a while —
and a number of high-profile data breaches — but most are finally beginning
to recognize the value that data brings to an organization and how
important it is to protect patient information. That's why now is the time
for organizations to rebuild consumer trust by focusing on making data
secure and security practices transparent.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!