Are Small Hospitals More Vulnerable to Data Breaches?

January 4, 2018

Hospitals face significant challenges in protecting patient data, and these challenges are even more acute for small community hospitals, which sometimes experience issues with staffing and lack of expertise.

The most obvious issue facing many hospitals is simply the age – and in some cases, the near-obsolescence – of their hardware. Outdated software such as Windows XP or old versions of SQL have security holes that cyber thieves can easily exploit. Even if a hospital runs more recent applications, it may not update them often enough. Software patches should be applied every 90 days, not once a year, as some hospitals do.

Many hospitals, especially in rural areas, don’t have sufficient health IT staff. Seven out of 10 providers report that their IT departments are understaffed, according to a survey by the Health Information Management and Systems Society (HIMSS). The IT professionals in these facilities are so focused on day-to-day issues and putting out fires that they don’t have enough time to focus on big-picture issues such as data security strategy. While the national shortage of health IT workers is partly to blame, many smaller hospitals simply can’t afford to hire more staff.

Nevertheless, the security of protected health information (PHI) is not optional. For one thing, it is required for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Security breaches can also harm patients and lead to costly class action suits. Community hospitals must figure out how to up their security game without spending a lot more money on health IT.

Greater Security at Lower Cost

Hospitals can solve some data-security problems while reducing their in-house IT expenses by moving from on-site to cloud-based data storage. This approach gives hospitals always-available backup and disaster recovery capabilities. It also removes the need to maintain and update much of the hospital’s IT infrastructure, and it can save hospitals the cost of buying new hardware at regular intervals.

Transitioning PHI to the cloud greatly reduces security risks associated with employees and others having physical access to servers in an on-site center. With cloud storage, a rogue employee or criminal can’t simply open a door and damage or remove hardware.

The cloud also helps hospitals overcome the issue of having too few staff members dedicated to protecting PHI. Cloud providers have highly trained teams responsible for security as well as 24/7 monitoring systems. When using a cloud provider, a hospital “inherits” that company’s security posture and its technical policies and procedures to protect PHI. From reviewing audit logs to active patch management, administrative rights and access controls, cloud providers generally offer greater security than on-site client-server systems, because these tasks are what they specialize in.

Moreover, when a hospital hires a HIPAA-compliant cloud provider, the latter must sign a business associate agreement (BAA). Under a BAA, the cloud provider takes legal responsibility for safeguarding the PHI on its servers.

Security Risk Analysis Basics
Community hospitals, like other healthcare providers, must perform security risk analyses (SRAs) to comply with the HIPAA security rule. Some smaller facilities try to perform these analyses on their own, but that is a mistake. In most cases, they lack sufficient staff to do this work on a regular basis. They also lack the expertise required for this complex task.

Within the SRA are three “buckets” of safeguards:

Administrative
Physical
Technical

The most important technical safeguard involves the encryption of data, not only when the data is in use, but also when it’s at rest and in transit. A key point here is that HIPAA regulations do not require PHI to be encrypted when the data is at rest. However, sophisticated hackers try to penetrate databases to steal the maximum amount of data, so failing to encrypt data can have serious consequences.

HIPAA requires healthcare systems to maintain exact duplicates of all records. The big question here is: How often do you back up your data? We recommend that hospitals back up mission-critical data daily and do full backups weekly. These backups need to be encrypted and kept off site. The advantage of daily backups is that, if a hospital is hit with a ransomware attack, it has only lost one day of the data its providers need to deliver care.

Compliance Dashboard

One recent innovation that has made HIPAA compliance easier is a dashboard that monitors hospitals’ IT systems and alerts staff to any potential problems. Ideally, the compliance dashboard would track anti-virus, anti-malware and intrusion detection systems, along with audit reporting and raw logs of all operating system activity in one centralized location. A key portion of this dashboard is a HIPAA-compliance scorecard that maps a hospital’s compliance with HIPAA regulations, providing hospital administrators with a daily update on compliance status.

The most important part of an SRA is the remediation plan, which prioritizes issues and describes how to address them. Classifying risks into categories of high, medium and low concern, the remediation plan focuses on the highest risks and lays out the steps needed to improve security in those areas. This process is very educational for a hospital’s IT staff, who appreciate the ability to deepen their professional knowledge.

While it may seem daunting at first, transitioning PHI to the cloud offers numerous advantages to hospitals and health systems, including lower costs, greater security and less liability exposure, when compared with on-site data centers. No hospital is able to mitigate every risk, but administrators can rest easier knowing that their data is secure with an experienced cloud provider. Staying out in front of hackers is always a race, but moving PHI to the cloud can help keep hospitals one step ahead.

Carl Kunkleman is senior vice president and co-founder of ClearDATA, the trusted managed cloud provider, designed for today’s healthcare security needs. He is a healthcare industry veteran with 25 years of experience in pharmaceuticals (Abbot Laboratories, TAP Pharmaceuticals), diagnostic, medical software and healthcare professional services.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.