Privacy

Healthcare Organizations Remain a Target

Although it is sometimes difficult to remember what life was like before COVID, one thing is for certain: healthcare organizations were not as prominent a target for cyberattacks as they are now. Given that healthcare cannot function without the collection of patient data, these organizations represent a potent target for bad actors. If healthcare organizations are unable to keep patient records private, they could suffer substantial penalties via HIPAA’s Privacy and Security Rules. Most importantly, these kinds of attacks can lead to disruptions in patient care and safety.

According to the board director of the ISACA (a professional IT governance association), the size of a healthcare organization no longer matters when it comes to phishing and other malicious attacks. There is also a question of budget: “the emphasis has been on the latest medical technologies… not necessarily on the latest security practices to protect environments.” Moreover, healthcare organizations face the same cybersecurity issues as other industries, so much so that governmental recommendations are nearly identical to what you would find for home users.

According to a national survey of 1,300 physician practices, 83% had suffered a cyberattack. In the wake of this survey, the American Medical Association conducted a cybersecurity analysis that revealed three key issues affecting the healthcare industry broadly. First, cybersecurity is not just a technical issue—it is also a patient safety issue due to the imperative these organizations must address to protect patient information. Second, many practices do not have their own internal security system and so must rely on outside IT vendors for cybersecurity support. Third, more is needed than HIPAA compliance to protect the records of patients.

So the biggest question for patients is: what can you do to protect your information? Unfortunately, the very nature of healthcare means that your information must necessarily be collected—and at that point, protection is out of your hands. Still, as we discuss with David Sampon on this issue’s podcast, it is important to do your own research into the various track records of the healthcare organizations you might visit. Especially if you have a choice of where to seek treatment, prioritizing an organization that has not suffered a breach—or has its cybersecurity measures clearly stated—could make the difference.