With recent technologies improving the patient and provider experience, healthcare has seen a dramatic shift toward adopting these new technologies — including cloud-based solutions — to keep up with the rising demand for telehealth services: the distribution of healthcare information and services remotely through telecommunications technology including long distance patient/clinician contact and care, advice, reminders, education, intervention, monitoring and remote admissions.
Although this technological shift is a welcome change for many patients due to its flexibility, it also creates a specific challenge for healthcare organizations in terms of security. Many IT developers prefer to solve security issues through an all-access approach to coding and implementation; however, the key to remaining HIPAA-compliant and ensuring security with telehealth services is to compartmentalize this access.
It’s vital to know who, when and why direct access is needed before providing it to the appropriate users. While this measure is a fundamental step toward secure telehealth implementation, as with any change, healthcare providers need to prepare for push-back by creating a cultural mindset of security.
Security culture: what’s the big deal?
The healthcare industry has experienced some of the most frequently reported data breaches around the globe, with 377 security incidents reported in 2016 alone. Coupled with the increase in “access points” for telehealth services and protected health information (PHI) — such as desktops, tablets, smartphones and smart medical devices — security in technology has become the most important factor in the effort to protect healthcare organizations.
With new security risks arising every day, the mindset of healthcare organizations must be as adaptable as the services and software they implement. Designating a strong leader and keeping the following tips in mind can help any healthcare organization make the leap to a culture with a security-focused mindset.
Remember it’s a partnership, not a competition
Innovative technologies and software adoptions — including telehealth implementation — continue to catch on rapidly throughout the healthcare industry. This burning desire for telehealth technology is quite evident from the recent Jackson Healthcare Physician Trends 2016 Report, which projects that the global telemedicine market will grow to more than seven million users in 2018 and increase to $36.2 billion by 2020.
This explosion of technology makes collaboration between organizations more necessary than ever before. Although cooperation between organizations can make both the patient and provider experience more flexible and secure, many healthcare organizations’ IT departments view this collaboration as a threat.
However, both traditional software and cloud-based providers are valuable partners to a healthcare organization’s IT strategy — not competitors. When healthcare IT providers view each other in a negative way, it can be detrimental to the progress and security of any organization, creating a barrier between the organization’s goals of continuing to protect personal data while remaining ahead of its own competition.
A champion in the IT department will act and evaluate all alternatives while attempting to pull technology from a variety of places to give the organization the best advantage to succeed.
Place employee education & training at your core
So, your software is up to date and your IT department has finally seen the light. Now what? The security mindset doesn’t stop there. It needs to be implemented into the core of your healthcare organization.
The 2017 Healthcare Security Study by HIMSS Analytics found that 78% of respondents identified employee security awareness/culture as the overall biggest concern in terms of security threat exposure, and with justified reason. Employee error or negligence is one of the leading causes of healthcare data breaches.
In response, healthcare organizations need to make education a vital component of their culture. Leaders need to take the first step and explain the “why” behind creating an organization that places security at its core. Take specific action; start education at the top and make security training mandatory and continuous.
Companies with policies such as Bring Your Own Device (BYOD), for example, should consider network security within their policies and education to protect against breaches due to increased entry points through multiple connected devices.
Be prepared: it often gets harder before it gets easier
As well-intentioned as this shift in mindset to match the changing environment of technology is, change takes time. Healthcare organizations must be prepared to face opposition as new policies and procedures go into effect. With IoT devices permeating the market, and new security threats consistently on the rise, healthcare organizations must think preventatively in order to change alongside their software.
Especially in light of the recent “Reaper” IoTroop botnet discovery, which targets IoT devices, and this summer’s WannaCry ransomware that plagued the healthcare industry through interrupted operations and infected medical devices, it’s clear that with increased connectivity comes increased risk, regardless of industry.
As healthcare in particular continues implementing innovative services such as telehealth, the state of cybersecurity will significantly impact the future of the industry. After all, the Identity Theft Resource Center (ITRC) reports that total breaches in the US increased by 40% between 2015 and 2016 and, according to the Ponemon Institute, the average cost of a security breach reached $4 million in 2016.
The concern for strong cybersecurity should be pushing all industries to be mindful as they innovate. However, alongside these software upgrades needs to be a matched awareness of procedural effects on cybersecurity and the need for an internal mindset that puts security best practices first — regardless of IT operational preferences.