Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • MORE +
    • Contact Us
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Technology
Sponsored Content
This content was paid for by an advertiser and created in collaboration with Crain's Custom Content.
February 27, 2016 12:00 AM

2016: The Year of Data Security

Christina Galoozis
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    2016 is being deemed the “year of data security” in healthcare—if only because 2015 was a substantial wake-up call for the industry.

    Nearly 90 percent of healthcare providers have been hit by data breaches in the last two years, according to security research firm Ponemon Institute, with many large-scale and criminally driven attacks publicized in 2015.

    “Breaches resulting from intentional attacks are now approaching, if not exceeding, the number of accidental breaches, causing a more pronounced level of awareness and reaction from the industry,” says Ross D'Emanuele, a partner at Minneapolis law firm Dorsey & Whitney LLP who works with healthcare providers, payers and drug and medical device clients.

    Indeed, healthcare leaders are keenly focused this year on acquiring the resources necessary for protecting their organizations against a multitude of threats: viruses and Trojans, employee negligence, medical device hacking, hacktivists, nation-state attackers and criminal ransomware, to name a few.

    Assessing the Damage

    Through assessments, leaders are finding similar themes. For one, “built-in” security mechanisms among the hundreds of systems and vendors that work with a hospital does not amount to adequate protection—nor does it equate to a proper cyber security strategy. For another, their organizations do not have the data or systems to gain an accurate picture of their vulnerabilities—the level and types of attacks they're most susceptible to, as well as where the gaps currently exist.

    “The idea of being able to see attacks that occur—and being able to stop those attacks, instead of just building a high wall and blindly hoping nothing gets through—this is the heart of an active defense,” says Chris Williams, an enterprise security architect at Reston, Va.-based Leidos, which together with Cerner Corp. and Accenture won the 22-month Defense Healthcare Management Systems Modernization contract.

    Leaders are also finding that complying with regulations does not alone keep their organizations safe. “Paper compliance and setting policies is not security,” D'Emanuele says. “Security is the actual function of risk assessments, auditing information systems, training and training often.”

    The federal government is, encouragingly, leading a new charge into guiding healthcare through an industrywide data security upgrade. The $1.1 trillion omnibus bill signed by Pres. Obama in December calls on the U.S. Department of Health and Human Services, Department of Homeland Security and the National Institute of Standards and Technology to create voluntary guidelines and best practices for healthcare to follow. It also establishes a task force that will study how other industries combat cyber threats, while considering the challenges unique to the healthcare industry.

    Unique Challenges

    The challenges are as unique as they are many. To be sure, security standards reached in other industries can be adopted for certain technologies in healthcare, such as patient-identifying data or individual systems. But very few industries are trying to protect useful information that should be immediately and freely available to all who need it, says Jeffrey Short, attorney and practice group leader at Hall Render, an Indianapolis-based law firm that specializes in healthcare. He uses banking standards to illustrate the exceptionality.

    “A bank only needs to know the details of your account to hold your money properly,” Short says. “In healthcare, it would be as if Bank A needs to access a customer's records at Bank B in order to help the customer, i.e. the patient. There's too much interorganizational sharing of data in healthcare to adopt any one industry's approach to data security, finance included.”

    Additional challenges unique to healthcare include thin operating margins and decentralized operations. As margins become more challenging to maintain in the shift toward value-based care, most hospitals and health systems simply do not have same resource allocation of other industries to spend on massive cyber security systems, consultants and other infrastructure. Compound that with a decentralized organizational model with each department operating differently, using different equipment and managing hundreds of vendors. “It's almost as if you have a dozen types of businesses operating within one enterprise, all with different types of risk,” D'Emanuele says.

    What to Do Now

    The good news? Healthcare is getting more serious, and more informed, about data security. Eighty-five percent of healthcare providers have discussed cyber security at the board level, according to a cyber risk study conducted by KPMG, and 69 percent of healthcare organizations have a formal incident response plan for cyber attacks, according to the Ponemon Institute study.

    A data security framework is not a modest undertaking, but the following four steps are agreed to be imperative to the process:

    1. Educate yourself and your institution at a high level. Make data security a board- and management-level priority that permeates throughout the organization. And fully understand the implications of postponing your data security position any further.

    2. Discover and decide what threatens your organization specifically. Threats vary among different types and sizes of healthcare organizations. While criminal attacks may be the most dangerous threat against large health systems, employee negligence is still the most common type of breach, and may be a top priority for organizations like physician groups or home care agencies. Audit your organization's processes, technology capabilities, standards governing vendors and employees, and more. In many cases, an outside assessment is the best way to get an accurate and valuable perspective on your data security position.

    3. Allocate resources. Cementing your data security position should not require a bloated budget. “I see organizations spend millions on cyber security and have an utterly ineffective defense, and then I see organizations that spend pennies and have a very effective defense,” Williams says. That said, Short recommends determining the resources that are necessary, not the resources that are available, to getting the job done. “There's a big enough gap there in most organizations to demonstrate that they need to up their game,” Short says.

    4. Design a response plan. Even when organizations put forth their best effort, data breaches will occur. Most experts agree—it's not a matter of if, but when, your organization must handle a cyber incident. The key is having a response plan in place that involves the following stakeholders: legal counsel, compliance officers, public relations, your cyber security partners, information security, and in many cases the CEO and CFO, who should be present to fully understand the evaluated risk and exposure.

    It's both cost-effective and smart to rely on outside standards such as HITRUST (developed by a cohort of leading healthcare organizations) to guide your organization through these steps—and at every point of change in your organization's future. Not only does this allow your organization to focus on patient care and services, it also helps your organization stay up-to-date in assessing and addressing new threats that arise every day.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Health IT Strategist (HITS) Newsletter: Sign up for the latest IT and medical technology news delivered 3 days a week (M, W, F).
     
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • MORE +
      • Contact Us
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing