It’s no secret that healthcare organizations have become major targets for cyber-attacks, especially due to the large amounts of sensitive electronic protected health information (ePHI) these companies harbor. Not only is a healthcare organization’s internal information system prone to attack, but the growing use of mobile devices, remote data access, and cloud-based systems have caused the need for information security programs to expand and increase protection efforts.

Providers rely on the information related to a patient’s clinical status to be accurate.  Without good data integrity, decisions related to appropriate care could lead to deadly consequences. Imagine a scenario where a malicious hacker randomly changes information on blood types or drug allergies in a medical record system but leaves everything else alone so as not to be detected.  Since information security and patient safety go hand in hand, it is crucial for healthcare organizations to not only identify emerging security threats, but they must also know how to properly respond to incidents and quickly mitigate threats to ensure not only the privacy but also the integrity (accuracy) of data. Robust information security practices should not be solely focused on HIPAA compliance or avoiding a potentially embarrassing data breach, but rather a healthcare organization’s security program should also center around patient safety.

Especially since the Department of Health and Human Services wants cybersecurity treated as a patient safety issue, here’s what healthcare organizations need to know about connecting cybersecurity risk and patient safety:

Be Prepared

Security teams must have a solid understanding of how to properly monitor and protect against emerging threats. From choosing and implementing cybersecurity tools to expanding security to include medical devices, awareness, and knowledge about best practices in these areas is a must for patient safety.

Be Equipped

While many healthcare organizations today manage patient safety, information security, and risk management separately, there is value in adopting a combined strategy that will provide a broader perspective of its potential threats. To keep in line with HIPAA requirements and NIST framework guidance, an effective management tool like BALLAST can continuously evaluate the current state of security risk across your enterprise.

Be Proactive

While outside attackers are an obvious threat to a healthcare organization’s sensitive data, company insiders who are lured by phishing tactics or other attacks can also create potential threats. It is imperative that organizations train employees on cybersecurity essentials, as well as implement new methods and models to protect patients and data systems. The constantly changing threat environment makes a disciplined and proactive risk management approach mandatory.

BALLAST can help your organization armor up against attacks that can affect patient safety. To get started or learn more, contact us today!

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.