Managing to Succeed: Radiology's Cybersecurity Landscape
By Ned Campbell
Vol. 19 No. 7 P. 8
It seems as though every day there is news of another major data security breach in our country. It's clear that the health care industry is one of the favored targets of cybercriminals; more than 16 million patient records were breached in 2016.
Department of Health and Human Services Office of Civil Rights (HHS-OCR) HIPAA breach settlements totaled a record $24 million in 2016. According to predictions by credit reporting firm Experian, the health care industry will continue to be a target for cyber attackers while "personal medical information remains one of the most valuable types of data for attackers to steal."1
While most data security attacks have focused on large health care systems, that does not mean radiology practices are immune from these cybersecurity threats. Radiology practices manage a complex data environment with many systems and entities where protected health information (PHI) is transmitted and stored, including RIS, PACS, computer information systems, DICOM, imaging equipment, mobile devices, e-mails, short message service messaging, cloud storage, patient portals, and revenue cycle management systems.
Each of these poses a unique set of data security challenges and provides a wide attack surface to guard and secure against cybersecurity attacks. As these systems and processes are often provided by a third-party vendor or outsourced completely to a service organization, a radiology practice's data security environment almost always extends to a complex variety of business associates.
The Threats Are Real
The health care cybersecurity threat landscape has an ever-expanding attack surface, with motivated and well-funded cybercriminals who can carry out creative, sophisticated attacks on private and often protected health care information from radiology practices and their business associates. These include but aren't limited to the following:
If these outside threats are not enough, employees still pose one of the greatest risks to health care organizations and their business associates. According to a 2016 data security incident response report from BakerHostetler, 24% of health care data breaches resulted from employee errors.2 Social engineering, phishing, and spear phishing campaigns targeting individual users are on a sharp increase with growing sophistication across all industries.
Data Breach Impacts Can Be Significant
Although the largest health care data breaches of 2016 were nowhere near the scale of those seen in 2015 (eg, Anthem, Premera, and Excellus), more than 16 million patient records were compromised in breaches involving more than 500 patients. Of these major breach incidents, 275 were reported by providers and 20 were reported by business associates. The potential impact to health care providers of a single data breach are significant in terms of cost, disruption, and reputational impact. Consider the following:
A Strategic Priority
Given both the growing number of health care cybersecurity threats and the potentially significant impacts from a data breach, radiology practices need to consider data security a critical business priority for their own practice and their business associates. At Zotec Partners, we consider data security a mission-critical strategic priority utilizing a three-part strategy: organizational commitment, technology and processes, and external certification. In developing their own data security controls and evaluating their business associates' data security standards and controls, a radiology practice may consider a similar approach.
Data security requires a true organizational commitment by a company's executive team and shareholders, as effective data security requires time, resources, and investments. Companies that invest in a dedicated information security department of certified information security professionals with separate operating/capital expense budgets to execute strategic information security projects can keep pace with the evolving data security threats in order to implement security best practices.
New employee onboarding, including ongoing security awareness and education of all employees, is one of the most important investments a practice can make in data security. Providing security training above and beyond the "annual HIPAA education requirements" and frequently communicating security reminders are two effective means of building a workforce that is sensitized and responsive to data security threats. As an example, in order to sensitize employees to phishing attacks and provide additional training to employees as needed, companies might deploy customized employee phishing campaigns periodically throughout the year.
Technology and Processes
There are many data security technology solutions available in the market today that health care organizations can use to prevent, monitor, and respond to potential data security risks and threats. Technology tools, when coupled with prevention, monitoring, and detection processes executed by an information security team can create a multilayered network of defense against cybersecurity threats. These technology and processes may include the following:
External third-party examination and certification of security practices and those of business associates are a third way for radiology practices to enhance data security. The following are two common certifications:
It's essential for radiology practices to be aware of the growing breadth and depth of health care cybersecurity threats and ensure their data security controls and methods are evolving to provide adequate protection to their patients' valuable data. Organizational commitment, technology and processes, and external certification may be important steps to consider for a practice. The resources, expertise, and data security practices are also important factors for radiology practices to consider with their revenue cycle management partners and other business associates to whom they entrust their patient data.
— Ned Campbell is the executive vice president of quality and compliance for Zotec Partners, a national provider of radiology revenue cycle and practice management. He has worked in the health care industry since year 1991, and is specialized in operations quality, coding and billing compliance, and information security. Ned serves on the Zotec Compliance and Security Committees.
1. Fourth annual 2017 data breach industry forecast. Experian website. http://www.experian.com/data-breach/2017-data-breach-industry-forecast.html
2. Is your organization compromise ready? 2016 data security incident response report. BakerHostetler website. http://f.datasrvr.com/fr1/516/11618/BakerHostetler_2016_
3. HIPAA breach costs. HIPAA Journal. http://www.hipaajournal.com/wp-content/uploads/2015/05/hipaajournal-cost-hipaa-data-breach.png