You don’t have to be a Denver public relations pro to know that cyber security is keeping healthcare executives up at night. Just ask the IT security experts who spoke at a recent Prime Health cyber security conference in Denver. All agreed that the threat to healthcare organizations from data breeches, ransom ware and lawsuits is very real. So why doesn’t everyone have a crisis communications plan? Why do so many healthcare organizations keep their heads buried in the sand?
According to the Prime Health panelists, ransom ware is a major threat. Identity theft is a big reason for healthcare hacking because electronic medical records can be easily monetized. We don’t monitor Medicare numbers like we do credit reports so selling Medicare numbers is big business. It’s an easy way to get a lot of information, including government information and prescription records that foreign intelligence agencies love to steal. From organized crime to espionage, if your system is vulnerable they will find a way to exploit that vulnerability.
The easiest way into your system is through what the panelists called stupid human problems. Typically, an unsuspecting employee opens a fishing email that looks like it comes from a boss or colleague. Now the door is now wide open. The email might come to the employee through a personal email address or mobile app. Maybe it targets a mobile device or home computer since more and more work gets done remotely. It’s like leaving the key in the front door when you leave your house.
Oh, and that medical device in your OR that you thought was secure? All it takes is a surgeon bringing in some medical imaging on a flash drive and inserting it into a monitor. Now the system is infected and the hackers have access to all your medical data.
Are you using an old version of your software without the latest security patches? Are you using open source software that allows hackers access to your source code? Does your credentialing system allow passwords to be easily stolen and did one of your employees unwittingly share his password with a cyber thief?
Hopefully by now you are asking yourself, “Hey, do we have a crisis plan?” Because when you demand that your patients hand over their credit card, driver’s license and insurance card, you are implying that their personal financial and medical data is protected. And we all know what happens when your consumers lose trust in your brand. Once your reputation is damaged, it takes a long time to repair it.
So what steps should healthcare organizations take to minimize their risk?
- You can begin by identifying the threats and restricting access to data to the employees that need to manage that data. Assume every entry point is a threat.
- Training is critical. Help your staff understand the threats and train them on preventive measures, like how to recognize fishing emails.
- Mobile devices and laptops are easy to steal. Put protocols in place to prevent theft. Look for simple solutions like encryption. It’s easy but not everyone does it.
- Only keep the data you actually need. Do you really need someone’s driver’s license? Can you delete some data after a certain period of time?
- Have a crisis communications plan! Anticipate the problems and have a plan in place to help you respond quickly and communicate effectively with key stakeholders. This can help you minimize any long-term damage to your reputation.
If you are in the healthcare business, data breeches are a serious threat. Cyber security is an essential part of doing business in the digital health universe. Ask an expert to assess your risk. Get your head out of the sand!
Pushkin PR can help you prepare for and manage a crisis. Let us know how we can help.