< + > Best Cybersecurity Practices for Patient Data Sharing in Healthcare

The following is a guest article by Alexander Norell, Senior Director and Global Security Architect at VikingCloud

One cannot overstate the benefits of data sharing in healthcare, which grows more prevalent as the years pass and technologies make the process more seamless.

The dawn of integrated care systems that foster streamlined record-sharing is already linked to improving patient outcomes through precision medicine that caters to individual needs.

Integrated data sharing across healthcare systems ensures three-dimensional assessments of patients. Nothing crucial or life-saving gets forgotten because it’s all available at a practitioner’s fingertips.

Beyond readily available data to help treat acute or more immediate symptoms, these advancements in record sharing also help flag long-term trends—increasing the potential to catch underlying health problems that would otherwise go undetected.

Furthermore, data sharing across healthcare networks, platforms, and infrastructures enables enhanced collaboration. Fewer silos exist between care providers, who can more easily work together to foster superior patient outcomes.

Data sharing also has more big-picture benefits. The mass swaths of health-related data enable healthcare entities to better manage the health of entire populations by helping identify trends and develop strategies based on vast evidence.

It’s worth noting how the technologies driving increased data sharing aid in efficiency, reducing paperwork, human error, and the already strenuous workloads of industry professionals.

These are all significant benefits of data sharing in the healthcare sector. However, one glaring challenge exists in this brave new world of more integrated, collaborative care: Protecting sensitive patient data from cybercriminals.

The Importance of Cybersecurity in Healthcare

The healthcare sector is uniquely vulnerable to cybersecurity breaches.

2023 was a record year, with 114 data breaches of 100,000 or more records reported to The HIPAA Journal.

Cybercriminals are drawn to healthcare data as bees are to honey. Its sensitive nature is of great value on the black market, but also to care providers and the patients who’ve entrusted them to protect their personal information. Ransomware attacks make up the bulk of incidents seen today. Hackers leverage healthcare’s growing reliance on technology by demanding exorbitant amounts of money for stolen data. The cost of responding to and recovering from a breach in this industry has been higher than that of any other sector since 2011, according to a report by IBM and the Ponemon Institute.

North America is a particularly popular target for ransomware attacks, having experienced 315 of the healthcare sector’s 379 ransomware attacks last year. IBM and the Ponemon Institute peg the average cost of these incidents at $10.9 million. 2024 is projected to also near or surpass the $10 million mark.

While the vast increase in data sharing will significantly bolster patient outcomes, the proliferation of related technologies leaves the data more vulnerable than ever.

It’s up to healthcare organizations to implement robust cybersecurity protocols to offset the worst-case scenario (seismic data breaches) and maximize the best-case scenario (mass systemic improvements).

The Top Healthcare Cybersecurity Risk Factors

As we’ve established, data breaches adversely impact a healthcare institution or medical practice’s finances.

They also cause reputational damage. Even worse, they disrupt the ability to provide optimal care—research conducted by Cynerio and the Ponemon Institute found that 53% percent of healthcare organizations that have been the victim of a cyber attack experience adverse impacts such as increased mortality rates. Researchers Hannah Neprash, Claire McGlave, and Sayeh Nikpay back this claim up in an article written for STAT, citing findings from their own recently published report. Where roughly three in 100 hospitalized Medicare patients die in the hospital under normal conditions, that number goes up to 4 out of 100 during a cyberattack.

Unfortunately, the monetary value of patient data on the black market makes it a tantalizing target for malicious actors. Compounding this issue are the many weaknesses and risk factors in healthcare providers’ cyber-security infrastructures that make the sector more attractive to cunning cyber criminals.

In healthcare, the top risk factor by some margin is the surge in industry-wide data sharing (primarily of the digital variety).

A confluence of connected devices collects and transfers sensitive patient information to entire infrastructures (including organizations, partnerships, systems, etc.) for optimal patient outcomes. The more connected devices involved in a network, the more chances hackers have to strike, adding to organizational risk.

Below, we’ll highlight a few more risk factors leaving healthcare infrastructures vulnerable to data breaches and cyberattacks:

• Overextended staff members often aren’t adequately prepared to fend off cyberattacks
• Those same staff members don’t necessarily prioritize cybersecurity, given their substantial workloads and the stress of their jobs
• Many healthcare organizations lack resources and utilize legacy technologies ill-equipped for today’s cybercriminals
• Care providers can take a more ad-hoc, reactive approach to cybersecurity instead of proactive, holistic, and systemic integration

Securing Patient Data: A List of Best Practices

Here’s a list of best practices for protecting patient data:

• Bolster encryption levels with algorithms to protect patient data from unauthorized users
• Ensure only authorized personnel access patient data via role-based access controls 
• Data infrastructures and integrated systems require robust authentication methods, such as multi-factor authentication, to ensure that only verified users can access data 
• Frequently auditing user activities and system logs will help identify suspicious behaviors before something nefarious or damaging occurs
• Data should be backed up on primary and backup systems with offsite solutions to prevent loss
• Assess your systems to identify weaknesses that exist and address them; this process necessitates mapping how patient data travels through your organizational infrastructure from acquisition to disposal, from there, it’s possible to flag weak points—where the data isn’t compliant or highly vulnerable to attacks, afterward, it’s time to establish best practices and strategies to bridge your data protection gaps
• Implement secure transition protocols (e.g., HTTPS and VPNs) to protect data transmissions, also, ensure you’re using intrusion detection/prevention tools, firewalls, and other security measures for patient data
• Minimize and consolidate patient data as much as possible, only gather what’s necessary to prevent bloat, which can make it unmanageable and more open to breaches
• Consider anonymization and pseudonymization of data records kept for research and statistics
• Stay on top of (and rigorously adhere to) data-protection compliance measures
• Monitor your third-party service providers

We want to highlight how valuable staff buy-in is to your data protection strategies.

After all, they’ll require the necessary training and education to uphold best practices, and their ongoing commitment to compliance and robust data protection is crucial to the lasting success of any healthcare practice, organization, or institution.

Cloud Technology’s Role in Enhancing Healthcare Security

According to a study by DuploCloud, 70% of healthcare organizations have migrated to the cloud.

Cloud computing offers healthcare organizations enhanced encryption, bolstered security controls, redundancy, access controls, and compliance certifications. The result is robustly protected patient data and improved patient outcomes.

With all that said, cloud computing is like any infrastructure in that it has its risks.

However, paired with the best cybersecurity practices we’ve provided (along with supplemental technologies and tools), it promises to protect your healthcare organization’s patient data (and reputation) in the short and long term. This way, you and your patients will reap the benefits of data sharing while stonewalling data breaches—the best of both worlds.

About Alexander Norell

A highly regarded and growth-focused GCRS professional, Alexander Norell has more than 25 years of experience in the IT consulting industry and 20 years in cyber, IT, privacy, and information security.

As a Senior Director, Alexander has extensive experience in leadership roles for GRC security specialists. He is responsible for running the EMEA portfolio of consulting services for VikingCloud, and the delivery of all services, including risk, privacy, ISO, and PCI.