According to a recent study from MIT’s Sloan School of Management, hospitals today experience up to 70 percent of all ransomware attacks. Hospitals and other healthcare organizations are an easy target for hackers, because when health records and sensitive patient data are held hostage hospitals have no choice but to pay the ransom. Refusing to pay means that not only could patient care be compromised, but a patient’s personal health information (PHI) could be stolen, and the organization subject to harsh penalties.
As Chris Cullen of Perspectium shared in a recent interview, it’s incumbent on healthcare providers to be proactive in preventing privacy breaches. However, a major contributor to cyber vulnerability – and the potential release of PHI – is the decentralized nature of how most hospitals organize their teams.
“Traditionally in hospitals, IT security and patient privacy are two separate departments or two separate areas, and they don’t really talk to each other much,” Cullen shared. “Right now, in most cases, IT is siloed from the security team, and the security team is siloed from the privacy and compliance team. They don’t always talk to each other.”
Cullen said that in some hospitals, you will see integration between IT and security to run simulations and testing, but that just gives insight into network-level security and hardware security.
“It doesn’t show you what the users are doing. That’s the gap,” Cullen explained. “On that side of the equation, the privacy department will typically use a different tool to analyze user behavior on the network and look for things like duplicate logins, logins from different locations, multiple logins at the same time and be able to advise employees against the behavior in the future.”
Cullen helps healthcare providers understand how IT service management (ITSM) can solve the challenges of service and data integration using modern technology with processes that extend beyond application silos. Cullen said that ITSM can allow IT security to replicate ITSM data so they can have a real-time copy of the current IT infrastructure environment in order to run attack-simulation or other security tests against the most up-to-date information.
Luckily, once a healthcare provider introduces a privacy monitoring system and employees are aware they are being monitored, the number of incidences drops. That is good news, but it doesn’t reach to the level of providing a full picture of what is happening on a provider’s network.
“The ability to integrate the patient privacy system data with the ITSM data and the network-level security data, offers a full picture of the network and the behavior of users on the network to run reporting and analytics about privacy and report out,” Cullen said.
This is particularly important because the Centers for Medicare & Medicaid Services (CMS) require healthcare providers to file a privacy impact assessment for review of their compliance with CMS regulation every year. Cullen said that an extensive redesign last year transformed the privacy impact assessment into a smart form that is unique to each healthcare provider system.
“Last year, CMS was migrating information from prior years’ privacy impact assessments to the new smart forms for the providers, sending them back to the healthcare providers for review and corrections so they then could be submitted to CMS,” he said.
Going forward, healthcare providers will have to submit those assessments on their own, which is another opportunity for data integration and process integration with CMS to gather the needed data, populate the smart form, and submit the privacy impact assessment in an automated fashion.
Cullen said that ITSM can play an important role in helping healthcare providers ensure that the most up-to-date data is available for CMS reporting.
Hear from leading healthcare provider Intermountain Health about working with Perspectium here.