If you Google “healthcare data security,” you’ll find the news results saturated with headlines announcing more and more data breaches—and it seems each one affects more patients than the last.
Personal, confidential, and protected information is being lost or stolen at an alarming rate in the medical industry. This is, to a certain extent, simply a byproduct of the world we live in today.
Technology is an incredible tool that has improved the quality of medical care delivered and even saved lives. But increased adoption does have a downside: namely, the vulnerability it creates for sensitive data and increased risk of things like identity theft and credit fraud for patients and ransomware attacks for practices.
This is exactly why every healthcare provider that deals in patient data—meaning all of them—must take certain precautions when it comes to protecting their data.
But what are the right healthcare data security measures to take?
That’s a question we wanted to answer by surveying healthcare providers: 130 small practices with five or fewer licensed providers and 129 large practices with six or more providers.
We wanted to understand how small and large practices compare when it comes to the issues they’re facing and the security measures they’re taking to develop recommendations for small practices that are still developing their healthcare data security plans and processes.
We also spoke to Zach Capers, a senior content analyst at GetApp where he researches and writes about data security and technology trends. You’ll see his commentary and insights throughout this report.
Here are a few key findings from our survey:
- The vast majority of patient data is now stored digitally: Nearly half of both small and large practices digitally store at least 90% of their data, including patient billing information and medical histories.
- Breaches are common and human error is often to blame: A third of large practices (33%) have experienced a data breach within the past three years, and over half (51%) of these breaches were caused by human error.
- Data and security training is minimal: A quarter of large practices (25%) and 42% of small practices spent no more than two hours on IT security and data privacy training in 2021.
- Most practices aren’t prepared to handle a cybersecurity event: 49% of small practices and 15% of large practices don’t have a codified plan of action in the event of a data breach or cyberattack.
With 90% of medical data now stored digitally, the risks are huge—training can help
One of the most basic explanations for why practices are vulnerable to any type of healthcare data breach is the sheer amount of data they store digitally.
The majority of both small and large practices said that between 81 and 100% of their data (including and especially patient data) is stored digitally.
This makes sense, as storing data in the cloud is convenient and efficient—not to mention an easy way to ensure HIPAA compliance. But it’s also leaving a lot of private patient data vulnerable to breach or attack.
In our survey, we asked practices about the rate of data breaches and found that one out of every four (23%) small practices has experienced a data breach. And nearly half of all large medical practices in total (48%) reported experiencing a data breach.
What’s more interesting, though, is what we found when we drilled down to learn the cause of these data breaches. Human error has been identified as a leading cause of many healthcare data breaches, so we asked our survey respondents whether it was a factor in theirs.
For 46% of small practices and 51% of large ones, it was.
These data points show how imperative it is to train employees on strict data and information security protocols (which we’ll go into more detail on later). Data security doesn’t lie in software protection alone; practices must defend their data on multiple fronts.
“Large practices store mountains of sensitive data, have complex attack surfaces, and tend to be highly targeted by cybercriminals. Small practice vulnerabilities are often tied to a lack of IT personnel and fewer resources devoted to employee security training.”
Ransomware attacks aren’t dire if you prepare for them
In addition to learning about incidental security breaches, we wanted to assess the true threat of nefarious ransomware attacks in the healthcare industry.
These coordinated attacks have been in the news a lot in early 2022, and one of the largest active ransomware groups recently announced its intent to take “retaliatory measures” against the U.S. for making moves against any of Russia’s critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and United States Secret Service recently reissued a warning regarding the Conti Ransomware Group, as well as an updated list of indicators of compromise for all healthcare organizations to check.
To learn how serious the threat of ransomware attacks is, we asked how many respondents in our survey had experienced one.
Despite the majority of practices that didn’t report a ransomware attack, the risks today are significant: 22% of small practices and 45% of large practices said they have experienced a ransomware attack at some point.
“Healthcare companies tend to suffer fewer ransomware attacks than businesses in other industries, mostly owing to mature data protection practices resulting from decades of heavy regulation (e.g., HIPAA).
But healthcare companies must recognize that today’s ransomware schemes are evolving rapidly and the strategies that have protected sensitive data in the past may not be sufficient for emerging attacks, such as those that target connected medical devices.”
And the strategies used to resolve ransomware attacks (for those practices that have experienced one) are worth noting.
There is a real risk of never recovering your data if you suffer a ransomware attack. Both small practices (14%) and large practices (11%) permanently lost their data after either making no attempt to pay the ransom or paying but still not recovering their stolen data.
While the number of practices who told us that they paid a ransom was low, we did ask about the cost they incurred. Two small practices paid between $5,000 and $10,000, and another two said they paid $50,000 to $100,000. The payouts were more varied for large practices, but the largest group (consisting of three practices) said they paid between $10,000 and $25,000 to recover their data.
But our survey shows that paying the ransom or taking no action aren’t the only options; there are other methods that can help with data retrieval. In fact, our data shows that neither of the top two resolutions for both small and large practices involved paying a ransom thanks to their ability to decrypt data or recover lost data using backups. This goes to show the incredible value of investing in tools like a cloud-based EMR, which enables decryption and data backups.
Since healthcare practices have seen success with methods other than paying ransoms to recover stolen data, we wanted more information about their fear threshold as well as specifics on where they’re investing to protect themselves
Large practices worry more, spend more time training for security breaches
In an effort to understand what fears healthcare IT professionals have, we asked survey participants how worried they are about several types of security threats.
Overall, the majority of both small and large practices are only “somewhat worried” about each of these risks, which indicates a healthy level of respect for the threats they’re facing today.
We did find that larger practices are more worried about all four of these potential data threats than IT representatives at smaller healthcare organizations.
The most notable differences were:
- Ransomware attacks: 54% of large practices were “extremely” or “very” worried vs. 44% of small practices
- Improper disposal, loss, or theft of equipment: 51% of large practices were “extremely” or “very” worried vs. 40% of small practices
One area that both small and large practices seemed equally worried about is unauthorized access or disclosure of sensitive data. And while this risk can be directly addressed with employee training, we found that practices spent a surprisingly small amount of time doing this very thing in 2021.
While most practices spent between two and five hours on IT security and data privacy training last year, a quarter of large practices and 42% of small practices said they spent no more than two hours training on these practices.
That’s a surprisingly low amount of time, especially when you consider the financial risk practices assume in the event of a security breach or ransomware attack. Which led us to wonder if practices spend so little time on training because they feel confident in the tools they’ve chosen to protect themselves.
Tools practices are using to protect themselves
Training employees is only one aspect of a complete data security plan. Another equally important element is investing in the best possible tools for the job.
We asked practices which software tools they use to protect their data from threats, and found a good bit of overlap between small and large practices. If large practices are meant to be the example smaller practices follow, though, there are a few gaps that could be corrected.
More small practices are spending money on antivirus software than large ones, which means small practices may want to reduce budget in this area to shift funds to the tools that larger practices are more heavily invested in, such as email security and network security software.
To be clear, you should have antivirus software in place to protect your practice. But rather than buying the most expensive antivirus software available, consider opting for a less expensive option to free up budget to invest in other tools (such as a VPN or network security software) that will create a more robust security environment.
Biometric security tools are another area worth consideration. We already know these types of devices are helping consumers deal with the pandemic, but how much are they helping healthcare organizations protect themselves?
Only 19% small practices and 39% large practices in our survey said they use any biometric security tools at all; of those smaller groups, fingerprinting technology was the most popular.
Based on overall survey results, though, our strongest data security software recommendation would be investing in two-factor authentication.
Using 2FA is a highly recommended password practice for any account that contains protected health information. It’s definitely something healthcare providers should be utilizing, and many are.
Well over half of practices use it for at least some applications, and 20% of small practices and 26% of large practices use it for every application. This is a wise decision, especially considering that about a third of IT professionals from different industries said weak password management was a key contributor to security breaches.
“Passwords alone, even strong ones, are insufficient for securing sensitive healthcare data. Medical practices must use two-factor authentication not only to protect access to data, but also to prevent cyberattacks such as account takeover and to ensure compliance with HIPAA requirements for secure access to electronic protected health information (ePHI).”
How small practices can keep up without spending more money
Throwing money at the problem of data security is certainly one way to address it, but it’s not the most effective (or even the smartest) option.
Paying for every data protection tool available isn’t a wise option as it leaves you vulnerable to other avenues of attack or breach, such as incidental exposure or human error. Instead, remember that you must guard yourself on multiple fronts:
- Train employees to prevent incidental exposure
- Invest in the right security tools to protect your data
- Develop a plan of action to help mitigate damage in the event of a breach or attack
Remember how 19% of small practices spent less than an hour on data security training in 2021? That’s not enough time. Training is a huge component of a prepared and protected healthcare organization.
To supplement employee training, it’s a good idea to review who has access to what data. For example, we found that 52% of small practices in our survey allow employees access to more data than is required to perform their jobs.
By strategically limiting the amount of patient data employees can access based on their responsibilities, you can also limit the risk of an incidental exposure or breach. And by properly training employees on how to handle the data they do have access to, you can protect your practice even more.
“Healthcare providers can mitigate data breaches by employing the principle of least privilege. In other words, limit data access only to employees who need it to do their job using strategies such as data classification and role-based access control. This reduces the chances of inadvertent data leaks and limits the severity of credential-based attacks.”
Investing in security tools
No, not every small practice really needs to be able to scan providers’ irises in order for them to access every electronic health record. That’s excessive. But every small practice should have basic tools such as firewalls and two-factor authentication in place to protect all their digital data and patient information.
The key here is to understand where you fall on the spectrum of risk, and then pick the tools or platforms that give you the most data protection.
To do this, you could consider reaching out to a healthcare cybersecurity consulting firm to have an outside expert assess your level of vulnerability and make recommendations based on their findings.
Or, if you feel your team is capable of conducting a thorough assessment, do it on your own. Either way, it’s important to make this process as objective and comprehensive as possible.
Developing a plan of action
Finally, you have to make a detailed response plan to limit the amount of damage you’ll incur in the event of a data breach or an attack.
In our survey, one in five representatives from small practices didn’t know if they had a formal cybersecurity incident response plan in place, and another 49% said definitively that they did not.
You must have a formalized process in place for all employees to follow in the event of a cybersecurity incident. Once you have a plan in place, you should bring everything full circle by ensuring your employees are properly trained on how to follow the plan.
“An incident response plan is key, especially for healthcare organizations where every second of downtime is critical. It’s absolutely essential to have a communication strategy in place so that key stakeholders can react quickly during a crisis.”
Digital healthcare isn’t going away anytime soon. In fact, we’re sure to see even more adoption of cloud storage and remote medical tools in the coming years. That’s good news, but the increased rate of cyberattacks and data breaches it presents is worth keeping an eye on.
By following these three healthcare data security principles and protecting your organization in the right ways, you can safeguard your patients’ data as well as your practice against the possibility of security incidents.
Software Advice conducted this survey in February 2022 of 259 healthcare providers. We used screening questions to narrow the respondents down to those who currently work at U.S. practices and are at least partially responsible for IT management and/or data security.
We divided our respondents into small and large practices according to the number of licensed healthcare providers currently working there. Small practices have one to five providers; large practices have six or more providers.