- Following recent research showing that 83 percent of physicians report they have experienced a cybersecurity attack, AHIMA released a healthcare cybersecurity action plan to assist entities in preparing for potential threats.
Implementing an information governance program will be critical, AHIMA stressed. A holistic approach to data security can greatly assist organizations of all sizes work toward keeping sensitive information secure.
Smaller healthcare organizations, such as rural hospitals or single-physician practices can find it much more difficult to maintain HIPAA compliance, said AHIMA Vice President of Information Governance, Informatics, and Standards Katherine Downing, MA, RHIA, CHPS, PMP, CPHI.
“Often times, those smaller organizations can’t necessarily hire full-time staff to manage privacy and security,” Downing told HealthITSecurity.com.
Those smaller entities are also working to transfer over to electronic health records and are likely finding it challenging to implement the necessary cybersecurity tools. Larger organizations cannot always prevent hacks either, which shows how much more difficult it could be for the small facilities, she said.
AHIMA was pleased though when the HHS Cybersecurity Task Force report released earlier in 2017 noted the need for information governance programs within the industry.
“Attackers coming in aren’t necessarily coming straight to an attack on the electronic health record,” Downing explained. “They’re often getting in through other systems. The Banner Health hack, for example, came in through the credit card machines in the cafeteria.”
“There’s just a lot more that needs to be done,” she continued. “It’s not just an IT issue. It’s very much a people, process, and technology issue; all three.”
Information governance is a broader view of information, Downing pointed out. Contrarily, HIPAA regulation is focused on PHI, clinical information, or electronic health information. Information governance requires an entity to look at all of the organization’s information assets. This includes where all information is stored and even employee information.
“Information governance for healthcare includes all of our information users,” she stated. “A physician practice may be using a business associate to do billing or collections. Information governance is going to say that those vendors in the healthcare space need to also have a robust information governance solution program. It’s bigger than just the physician practice. It’s all of us and we’re all interoperable. We’re all sending information from here to there.”
“That is the ultimate goal related to patient engagement and reducing costs in healthcare,” Downing added. “But with that, we need a more broad information governance view.”
Risk assessments and information governance
READ MORE: The Role of Risk Assessments in Healthcare
A proper risk assessment is an essential step for creating a robust approach to cybersecurity, Downing said. Having the right information inventory and knowing where that information flows is the first part of performing a risk assessment, she added.
“The risk assessment piece under HIPAA doesn’t mean just your HER,” Downing explained. “You’ve got other systems that are interconnected where that information is and unless you really understand where it is and where it’s flowing, you can’t do an accurate risk assessment.”
“Information governance would go even further to say, it’s not just about electronic health information,” she continued. “It’s about the paper and where the paper’s stored.”
Healthcare data breaches can happen because a physician stores medical records in a shed with just a simple lock on the door, Downing pointed out. Other times a data breach occurs because patient records are improperly disposed of in a dumpster.
Paper records are an important part of an organization’s overall information governance program, she stressed. Record retention on the whole – including paper and electronic – needs to be a key focus area.
“We cannot keep everything forever in the big data world that we’re in now with the electronic health records,” Downing said. “It’s not like it was before, where you take your records from 1930 and you store them offsite with a vendor and you just set them there and forget about them.”
“Now, you’ve got these electronic records,” she continued. “You have to back them up. You have to have a disaster recovery plan. You have to have a business continuity plan. You have to decide who has access. It’s a much bigger issue.”
Legacy systems can also create data security concerns with regard to record retention, Downing added.
“Systems that are outdated, out of their support framework, or the vendor is out of business or no longer supports it, organizations still have patient information in it. They need to maintain that.”
Cyber criminals will find outdated systems or unpatched software. Smaller practices in particular need to start understanding potential dangers with record retention and start destroying. This includes emails and even employee records not just – clinical records. All of those pieces could put an entity at risk, Downing warned.
Ensuring proper user access measures
Insider threats are also potential cybersecurity threats of which healthcare organizations must be mindful.
“The threats are real and they’re coming constantly,” Downing said. “The hackers may send out one million emails just to have one innocent person think they’re resetting their password. That employee goes in and puts their user ID and password in. Then, the bells and whistles go off on the hacker end because the hackers are in once they have that.”
Staff members who have administrative privileges must be especially careful, she added. Employees who are able to access sensitive data, log in to more systems, and even set up log in privileges for other employees could inadvertently give hackers access to more information.
Covered entities must also ensure that employees only have access to information that they need for their specific job function. When staff members leave their position or leave the organization entirely, their credentials will also need to be updated.
“Access creep,” is a challenge for healthcare organizations, Downing explained. This is when users may have changed jobs and they kept their old access. Then the users got their new access. All this access keeps increasing, she said.
“The other kind of access creep is where you bring in a new system and you set everybody up with all this access,” she continued. “The organization may not really know how its work flow is going to be. Then, it goes live and two years later, people have access to things they don’t need access to. It could be setting up master code tables or even user access modifications.”
Privacy officers, security officers, compliance officers, and leaders across all of healthcare need to ensure that each individual only has access to information that is absolutely necessary. With the exception of one-off situations, such as when one staff member is on vacation and someone needs to cover certain tasks, organizations must remain vigilant.
“There are some risks that could be mitigated if we all did an access audit,” Downing concluded. “We really just need to look at not only what people are looking at, but what they have access to.”