Protecting Patient Data: Cybersecurity Pro Tips from HBR

You could be forgiven these days for thinking that there was a large-scale health care data breach every other day, with the degree to which they’ve dominated headlines. Indeed, a recent Accenture study found that 26 percent of Americans have had their data breached. And it’s only been a few weeks since the “WannaCry” ransomware attack caused chaos around the world, including for health care organizations; along similar lines, a Carbon Black study found that a majority of patients would consider leaving a health care provider who experienced a compromising ransomware attack. A common thread after breaches has been experts urging health care organizations to take cybersecurity more seriously. To that end, Harvard Medical School professor and physician Dr. Rebecca Weintraub, along with Jorem Borenstein of NICE Actimize, offers a series of 11 recommendations in Harvard Business Review that organizations can implement to ensure that their patients’ data is protected from cyberattacks.

Pointing out that the health care industry loses approximately $5.6 billion per year from breaches, Weintraub and Borenstein note that statistics like this “should be a wake-up call for the entire industry.” What’s more, the fact that “health care organizations have been slow to adopt practices that have worked for other industries” has only worked in thieves’ favor. So how can organizations work to improve security? To begin with, Weintraub and Borenstein suggest ensuring that all health care data is encrypted, and restricting access to health records. Organizations should also purchase cyber insurance, which is common in the financial services industry. Also important: training on cybersecurity protocols for employees, and limiting access to patient electronic health records. Explain the authors, “Human error, including falling for phishing attacks, is the leading cause of major security breaches today.”

Other key steps for organizations include the use of multifactor authentication, the use of “tokenization” (or “substituting sensitive data with other unique but nonsensitive data”), and even potentially adding chips similar to the ones used in credit and debit cards to insurance cards. Borenstein and Weintraub also see potential in blockchain and biometric-based security measures. At the federal legislative level, the authors suggest (as others also have recently) that the Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996, should be updated to reflect modern cybersecurity risks. And, importantly, at the industry level, they encourage collaboration and the sharing of best practices: “Protecting patients’ health information in accordance with HIPAA will take a highly coordinated effort among care providers, insurers, and institutions, as well as significant investments in new tools and practices,” the authors assert.

Click here for the article on cybersecurity best practices from Harvard Business Review.


Leave a Reply