The surgery waiting room was full by 7:30 am the day after a holiday with a line out the door. The intake staff worked efficiently to check everyone in for their scheduled surgeries, but mornings are always busy. The surgeons had arrived two hours earlier to review patient charts and prepare for the day. The hospital hummed with activity. By 7:45 am an intruder was roaming through the hospital stealing data. Patient charts were exposed, including names, birth dates, social security numbers and diagnoses (and more). The intruders had arrived through email and were just beginning. They wouldn’t be discovered for weeks, after the damage was done.
When protected health information (PHI) is exposed, patient safety is compromised and patients are at risk for identity theft. HIPAA requires that covered entities keep PHI secure. What went wrong?
The Human Factor
Full HIPAA compliance requires covered entities and business associates to have safeguards to maintain the privacy and security of patient information. Today, most organizations can meet the baseline requirements with strong information technology and computer systems. But systems and technology are just the beginning. People need to learn how to fight off intruders.
Every expert we’ve ever read, every cybersecurity study, every security and law enforcement agency, always mentions cybersecurity awareness training for staff as a top mitigation strategy to prevent cyber crime. For more, see HHS.gov, CISA.gov or FBI.gov.
One Priority to Prevent the Largest Threat
Busy physicians, like everyone else who is busy at work meeting a schedule or working on deadline, are vulnerable to social engineering tricks used by cyber criminals. By far, the most common way that cyber thieves gain access to private networks is through phishing. They use it because it’s easy to implement and still works.
A recent article summarized five recent healthcare data breaches. Three of the five providers’ public breach notices stated that staff email was compromised.
BJC Healthcare in St. Louis, describing steps it would take to prevent similar intrusions in the future, stated:
“To help prevent something like this from happening in the future, the accounts were secured and we are reinforcing education on how to identify and avoid suspicious emails.” (italics added for emphasis)
Effective training needs to be relevant to the person’s job. It should be as important as professional education requirements, delivered frequently and conveniently to fit into busy schedules. It needs to be updated to fit with the latest research and cyber criminal tactics. We provide cybersecurity awareness training in The HIPAA E-Tool®. Another resource we recommend is TeachPrivacy with a comprehensive library of full HIPAA training on multiple subjects.
The surgeries that morning were all successes and the patients are on their way to recovery. The physicians are well-trained in their specialties because they’ve practiced and kept up with the latest medical developments. But they need more help and more training in cybersecurity awareness so that their patients’ data remains secure.