It’s right there in the Hippocratic Oath, the code of ethics doctors and physicians have been upholding when delivering healthcare since around 400 BC:
- “And whatsoever I shall see or hear in the course of my profession…if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.”
Protecting patient privacy sits alongside primum non nocere (translated from Latin as “first, do no harm”) as a core tenant of healthcare. So, it’s somewhat surprising to learn from the latest SOTI industry report, A Critical Investment: Taking the Pulse of Technology in Healthcare, that 70% of organizations have experienced a data breach or leak since the onset of COVID-19.
Legally and ethically, healthcare organizations and providers have a duty to secure patient information. Yet, it’s becoming more of a challenge to do so, which means it’s becoming more of an area of concern.
Why is that and what can be done about it?
HOW SECURE IS PATIENT DATA IN 2022?
Find out in your free copy of A Critical Investment: Taking the Pulse of Technology in Healthcare
Healthcare Security Challenges: A Business-Critical Issue Becoming More Critical
The cost of a healthcare data breach is nothing short of devastating:
- In 2020, security breaches cost healthcare companies $6 trillion USD
- Right before the pandemic (February 2020), over 1.5 million healthcare records were breached
- A single stolen patient record costs organizations $408 USD; the highest of any industry
- 50% of healthcare data breach victims pay approximately $2,500 USD in out-of-pocket expenses to compensate for their lost or stolen information
These costs can be measured in dollars lost or records impacted. In theory, they can be recouped or recovered.
Then, there’s the reputational damage to a healthcare organization, which is nearly impossible to quantify. Approximately 60% to 80% of data breaches go unreported, and 39% of healthcare organizations discover a breach months after it happens. The moment a security breach occurs, it’s already an uphill climb to regain trust from the impacted victims. Not knowing about it for months or never realizing it at all? There’s almost no way for a healthcare organization to recover.
It's a dichotomy. According to the SOTI 2022 healthcare report, 86% of healthcare IT professionals worry about patient information being revealed, lost or stolen. Conversely, 80% of healthcare organizations admit to not having completed a cybersecurity drill with a response process.
More Technology Means Better Patient Care…and More Healthcare Security Challenges to Face
Perhaps no industry was forced to adopt to the pandemic more than healthcare. Besides frontline healthcare workers’ heroic efforts in keeping patients safe and healthy, healthcare IT workers had to implement new technologies in a short amount of time. From A Critical Investment: Taking the Pulse of Technology in Healthcare:
- 64% of healthcare settings have started to explore synchronous IoT/telehealth medical devices since the start of COVID-19
- 49% have invested in mHealth wearables for specialized health services, which feed into patient records
- 50% deployment of RFID (radio-frequency identification) devices globally since the pandemic
No doubt, these new technologies have contributed greatly to patient care and perhaps have even saved lives.
For 11 consecutive years, healthcare paid more for data breaches than any other industry. It boils down to more devices and more endpoints also meaning more opportunities for hackers to steal patient data, which can be up to 40 times more valuable on the black market than credit card data (one simple reason is that credit cards can be cancelled, whereas patient records cannot).
As such, only 11% of patients trust organizations with their data.
Connected medical devices seem to be most susceptible to attacks:
- Connected devices: 53% of connected/IoT medical devices have a known critical vulnerability, with the top device being IV pumps (73% have a vulnerability which can impact patient safety or data security)
- Poor password protection: Newer devices, same weak passwords. 21% of connected devices in healthcare organizations are secured by weak or default credentials
- Unsecured interconnectivity: From the SOTI healthcare report, 56% of IT professionals believe some of their interconnected devices are not adequately secure
There are more lifesaving tools and technologies available than at any other point in history. Conversely, according to the report, 57% of IT professionals believe patient data security is more at risk than ever before.
The technology isn’t going anywhere, and neither are the potential threats. Where does the industry go from here?
Meeting Healthcare Technology Challenges Through Education and Resource Budgeting
The SOTI 2022 healthcare report determined that a staggering 70% of organizations have experienced a data breach since 2020. The sources of these leaks may not be what you think:
- 33% are accidental data leaks from an employee
- 31% of data breaches come from an outside source
- 29% are caused by distributed denial of service (DDoS) attacks
- 25% are planned data leaks from an employee
Healthcare organizations are taking a two-pronged approach to tackling these threats.
The first prong is education via security awareness training, such as identifying potentially harmful emails and safe surfing behaviors while following compliance procedures. In the SOTI 2022 healthcare report, 73% of organizations provide data security training to all staff handling patient data.
The second prong is resource allocation. According to the report, 73% of healthcare IT functions said their organization increased its annual technology spend since 2020. However, 46% agree their organization is not spending enough on patient data security.
Over half (52%) of healthcare workers receive security awareness training on a yearly basis. Conversely, the healthcare industry invests less than 6% of its budget on cybersecurity.
Organizations are investing the time, but not necessarily the dollars, required to protect patient data.
What's Next?
When the Hippocratic Oath was first written around 400 BC, its author Hippocrates could not have envisioned the state of healthcare in 2022.
In fact, there’s a movement to update the Hippocratic Oath for the 21st century to include responsibilities on allowing patients to determine how their data is used, making healthcare easier to access, understand and use and, of course, protecting patient information.
In medical terms, healthcare organizations must “increase the dose” in terms of technology used to treat patients and the training and tools needed to secure the data it collects.
