The advent of electronic health records has greatly benefited the healthcare industry in both the United States and Canada. With wider access to patients’ medical files, physicians can call up critical information during a medical emergency and share those records with fellow doctors if a patient needs to seek treatment at another hospital. However, like any other digital medium, the move to a networked database has resulted in massive cybersecurity concerns as healthcare administrators struggle to protect sensitive patient data from being accessed by hackers.
One of the most successful motivating drivers for cybersecurity best practices adoption in the healthcare field has been the implementation of federal regulations stipulating what measures hospital personnel should be taking to secure patient data. In the United States, passage of the Health Insurance Portability and Accountability Act has influenced numerous medical facilities to bolster their network defenses. If an administration fails to do so, it may receive a substantial fine from the federal government.
U.S. officials want to make those regulations even more stringent by shortening the window within which a facility can report a data breach. The U.S. Department of Health & Human Services recently proposed that those federally facilitated exchanges that were created through the Affordable Care Act, along with any organizations working in conjunction with them, should be given no more than an hour to report a data breach once it has been discovered.
The need for greater governance
The proposal calls for greater cybersecurity governance from members of the healthcare community. As has been witnessed on multiple occasions, establishing a culture of threat awareness and ensuring that employees adhere to data security best practice. For instance, British Columbia’s Health Ministry was reprimanded for failing to have the necessary controls and defenses in place to properly secure patient information. According to then-health minister Margaret McDiarmid, several ministry employees were discovered to have accessed millions of sensitive medical records and handed them over to contracted researchers last year. A report on the incidents released by British Columbia Privacy Commissioner Elizabeth Denham stated that the ministry lacked suitable security and privacy measures as outlined by Section 30 of the Freedom of Information and Protection of Privacy Act.
In addition to fostering cybersecurity governance, medical officials should ensure that they deploy a comprehensive suite of applications to address a range of potential threats. For example, application control software can be leveraged to prevent unknown and potentially malicious programs from running on a hospital workstation. These whitelisting utilities can block threats such as zero day viruses from accessing the hospital servers that house sensitive medical information.