Combating the Big Security Risks at Small Hospitals

^{Cybercriminals target small hospitals because they often neglect cybersecurity. Image has been altered. Licensed from cherezoff - stock.adobe.com.}

Small hospitals are being targeted by cybercriminals, and they may not even know it. A recent meta-analysis of data breaches (PDF), which ran in this website’s sister publication, The American Journal of Managed Care®, found that 37 percent of small and 36 percent of medium-sized hospitals had suffered at least one data breach from 2009 to 2016. Yet a group of researchers questioned these findings, noting that smaller hospitals often lack the cybersecurity resources to detect data breaches.

>> LISTEN: The Artificial Intelligence Question

This means the problem could be even larger. IT security pros at community or smaller regional hospitals have difficulty getting the privacy and security resources and financial support they need to comply with the healthcare industry’s stringent regulations. This makes it harder to prevent and detect security incidents. How can organizations with lean IT teams gain certified compliance and security know-how to keep patient data safer?

Small Hospitals but Complicated Data Breaches

Executives at smaller healthcare facilities have limited budgets and must field requests from many departments. Some of their IT decision-making is based on the erroneous belief that they don’t need the same level of security as their larger counterparts. They can’t possibly be as attractive to cybercriminals as the big medical centers, right? But what they don’t know is that they are more likely to be targeted due to possible unaddressed security gaps.

Even though these hospitals are small, that doesn’t make their cybersecurity easy or straightforward. For instance, many healthcare systems are leveraging each other’s systems, especially after a merger or acquisition.

Another complicating factor is the adoption of cloud-based applications. Hospitals are now storing vast amounts of sensitive or proprietary information in the cloud. Smaller organizations are the gatekeepers to massive quantities of patients’ private health information but may not realize it. Privileged insiders like network administrators or users with elevated permissions have access to this information and may carelessly or maliciously misuse it, causing audits, exposure to risk and heavy fines.

Intermingled Patient Data

Large healthcare systems can afford strong privacy and security programs. This, in turn, allows them to better handle the full lifecycle of privacy and security incidents to drive risk out of their organizations. Attackers target community hospitals because they have weaker security measures, and the wider problem is that the attack compromises more than just their data. These facilities are actually connected to bigger hospitals through systems that enable them to gain access to the larger organizations’ data as well.

Patients and their caregivers benefit from the ease of electronic health records, but so do hackers. Patients of a community healthcare organization sometimes need to go to a larger organization for treatment. So, the organizations are sharing patient data. This creates greater risk, as it allows for even more people to have access to patient records. This trend is increasing as the industry pushes for more access to health records. How is your small hospital going to protect them?

3 Recommendations for Stronger Data Safety

Strong privacy and security are possible at small hospitals. Here are three main ways to create it:

1. Educate employees

There are multiple benefits to training employees in a way that creates a workforce culture that embraces compliance, security and accountability. Training users on security and regulations contributes to a successful strategy. Governing and sanctioning offenders strengthens accountability, but rewarding positive behavior will further strengthen your culture. The idea is to move toward preventing data breaches due to insider error rather than discovering them after the fact.

2. Monitor the cloud

Monitoring provides the benefits of greater visibility into usage and adoption, performance and compliance. By monitoring your cloud-based environment, you can avoid regulatory fines and business interruption and ensure trust among customers.

The more insight you have into how users are interacting with your applications, the more you can secure and optimize your business systems to produce the best outcomes possible.

Implementing a monitoring solution frees up IT professionals’ time so they can do the more meaningful and enjoyable tasks that they want to do on a daily basis. This is an added bonus that creates greater job satisfaction and increased productivity.

3. Outsource for expertise

If you are new to cloud monitoring, or if your organization just doesn’t have the IT bandwidth, work with a third party. This service is like having a mentor to lend expertise and help monitor your system. A third party takes that extra monitoring load off IT’s plate and educates the community hospital on the need to comply with compliance regulations. A service like this can train new employees and conduct ongoing, targeted training that is more efficient. A third party can see that a certain region or department had the most violations in a specific time period and then provide training on proper use to protect both patient data and the organization.

Visibility Brings Security

Healthcare organizations large and small live under the mandate of keeping patient data private and secure. Smaller hospitals find this harder due to limited financial and IT resources, but compliance and security are not out of reach. Implementing cloud monitoring can help prevent data breaches by increasing visibility into what’s really going on in the hospital’s digital landscape. Educating employees and working with a third party are additional ways to keep patient data safe.

As the director of sales and solution services at FairWarning, Brian Stone helps healthcare customers to quickly and easily solve major pain points related to securing and keeping private sensitive information stored in mission critical applications, as well as addressing crucial requirements detailed in data protection regulations globally.

Get the best insights in healthcare analytics directly to your inbox.

Healthcare System Neglect Is Top Cause of Data Breaches

How the Atrium Health Data Breach Unfolded

What to Do Before and After a Data Breach