The state of technology has evolved significantly from 10 years ago when doctors still documented everything on paper. Today, more than 80 percent of doctors have adopted Electronic Healthcare Record (EHR) systems. More importantly, the majority of patient health information (PHI) is now stored in the cloud, making it more accessible to doctors and patients, but also to hackers and cybercriminals. The fact that nearly half of patients are concerned about healthcare data breaches (Software Advice) shows the importance and urgency of prioritizing data security in medical facilities.
Although medical facilities have adopted the cloud along with new technologies, many are still relying on outdated security practices to protect their data. This creates serious vulnerabilities in the system that malicious outsiders can easily target to exploit sensitive and confidential healthcare data. These data breaches are not only extremely costly to healthcare organizations, but to the government and patients as well.
Below are the top four outdated healthcare security practices organizations need to address:
Trusting the security of third-party vendors
A recent survey by the Ponemon Institute claimed that 60 percent of companies still do not monitor the security and privacy practices of vendors despite the sensitive or confidential information they share with them. This is alarming because of the increase in data security incidents specifically with third-party vendors. One example of many is the Boston Medical Center who fired third-party vendor MDF Transcription in 2014 after hospital officials found they had accidentally posted data of 15,000 patients to the vendor’s website. This goes to show the importance of ensuring vendors operate under maximum data security requirements and comply with the hospital’s compliance standards.
Using outdated software
Several healthcare organizations are still using outdated technology and processes for managing patient and general data. Older software generally stops receiving security updates, leaving the devices ideal targets for hackers. A prime example is Microsoft’s Windows XP that has not received support or security updates since 2014, yet is still being used by many hospitals today. Older technology is much easier for hackers to exploit and puts patient health information at extremely high risk. Maintaining updated processes may be costly, but with the average consolidated total cost of a data breach being $3.8 million, it should be a mandatory investment.
Securing the network but not the devices
The shift to EHR systems and portable devices in medical facilities allow for faster and more convenient access to patient data. Organizations tend to focus on securing their network but not the devices, making them an easy target for theft. Unsecured or unlocked devices can give a thief or hacker instant access to valuable patient health information. This not only compromises patient privacy but also the reputation of the healthcare organization, which often results in the loss of patients (Software Advice).
Not hiring enough skilled IT professionals
Hiring enough IT professionals with the skills to manage a hospital’s data security is as important as investing in the right technology. The growth of data and technology in healthcare requires more IT professionals to implement data security protocols and enforce compliance. Despite the need for more skilled IT employees, 62 percent of healthcare organizations say their budget for incident response has either decreased or stayed the same. It is crucial for medical facilities to increase IT budgets if they want to securely manage the growth in data and technology.
Keeping up with evolving cyberthreats can undoubtedly be challenging, but it is imperative for hospitals and medical facilities to stay up-to-date with their security practices. Innovation in healthcare has allowed hospital processes become more efficient and for health professionals to better serve patients, but only for those who maintain current technology to properly enforce and maintain required data security practices.