Co-founder and CEO of Protenus, empowering healthcare to eliminate risk by leveraging AI.
Dentists often sing the praises of preventive care because it’s so much easier to keep your teeth healthy than spend incredible amounts of time and money cleaning up damage. The same is true for healthcare compliance monitoring efforts. With ongoing care and maintenance, hospitals and healthcare systems can greatly mitigate the risk patient privacy violations pose to their organizations and, more importantly, patients they serve.
When it comes to healthcare data breaches, it’s not a matter of if it will happen, it’s when. Patient information is more susceptible to breaches than ever due to outdated legacy systems, a beleaguered workforce and increasingly sophisticated threat actors.
Modernizing the approach to healthcare compliance monitoring is key to reducing risk.
The Target Of Cybercriminals
Healthcare has long been the target of cybercriminals, with hackers accounting for 75% of the over 50.4 million patient records affected by data breaches in 2021. Hacking incidents climbed for the sixth consecutive year and breaches were up 20% year over year in 2021, due in part to hackers taking advantage of the continuous disruption wrought by Covid-19. The trend of virtual care delivery and remote work further exposed the vulnerabilities of sensitive patient data.
Hackers continue to search out and exploit the weaknesses in healthcare, with outdated legacy systems as a prime target. The danger is so prevalent it prompted the HHS to issue a warning bulletin in late 2021. When legacy systems don’t have proper security, hackers can enter the IT healthcare system and cause major damage, especially if there are no privacy monitoring solutions in place to sound the alarm. Hackers also use insiders to access private patient data through malware, tricking them to click on a phishing link or through outright recruitment.
Insider Event Impact
Healthcare data breaches wrought by hackers are often the ones covered in the media, but insider events, such as an employee looking up a family member’s protected health information (PHI), can be just as damaging. In 2019, 92% of combined large and small breaches were tied to unauthorized access, according to U.S. Department of Health & Human Services (HHS) data.
It may start innocently enough when an employee self-accesses PHI or looks up that of a neighbor but can quickly turn into a bigger risk as the behavior escalates. When performing a manual audit, it’s impossible for humans to track and predict those violations like an AI-powered compliance monitoring solution easily can.
Some good news is the immense financial and reputational risk to the organization, along with the highly damaging erosion of patient trust, from insider events can be mitigated by on-the-spot intervention as part of an ongoing preventive healthcare compliance monitoring program, as discovered in a study I co-authored.
In an industry still reeling from the impact of Covid-19, we’ve seen incredible churn in the workforce along with critical staffing shortages. Compounding the problem is a report that an estimated one-third of nurses plan to quit in 2022. With many new healthcare employees coming on board plus continued reliance on travel nurses, there’s a profound lack of understanding of hospitals’ and healthcare organizations’ compliance policies, which can lead to more insider security events.
It’s not just nursing facing a workforce shortage—it’s affecting departments throughout the entire health system as employees are being asked to do increasingly more with fewer resources. IT and compliance departments feeling the strain often don’t have time or manpower to manually audit all system accesses to find the small number that are true violations. Yet that small number of violations can pose a huge risk to the organization and the patients it serves.
‘Traditional’ Methods Don’t Work
The average hospital generates 60 million auditable events per month, but only audits 1,000. It’s impossible for any compliance team to keep up with all those events manually. Yet most of the $39 billion U.S. hospitals pay per year to stay compliant is focused on manual tasks and audits. This reactive approach creates a massive blind spot and consumes major IT and compliance team resources, which are already stretched paper-thin in an environment of critical staffing shortages and debilitating budget cuts.
Occasional manual audits and legacy systems offer virtually no protection against the dangers of increasingly sophisticated cybercriminals and insider security incidents. Organizations must embrace new technology and methods to better protect themselves and their patients.
The Future Of Healthcare Compliance Monitoring
Healthcare organizations must be honest with themselves when choosing how to monitor patient privacy. Are they prepared to dedicate so many already-scarce resources to manually auditing system accesses and determining which are actual violations? A bigger question is, are they willing to assume the overwhelming financial and reputational risk associated with using an outdated legacy system or reactive approach when—not if—a data breach happens? The erosion of patient trust deals a huge blow that makes recovery extremely difficult.
Hospitals and healthcare systems should consider switching their manual or legacy solutions to a modernized, proactive healthcare compliance monitoring solution to drastically reduce the resources needed to quickly detect, act on and recover from security incidents. Then they will have the ability to proactively identify and address incidents as they happen to prevent further escalation and stem damage. By leveraging artificial intelligence and advanced analytics, these technologies automate the detection of patient privacy violations and ensure hospitals and healthcare systems don’t miss what matters.
Ongoing training can also play a large role in improving compliance policy adherence, as shown in the study mentioned above where on-the-spot intervention was 95% effective in reducing repeat offenses. This is an important factor due to the continued workforce churn the industry is experiencing—new or contract employees may not be aware of the healthcare organization’s compliance policies.
Finally, as a best practice, it’s imperative that organizations have a detailed security incident response plan in place as required by HIPAA to identify, mitigate and document security incidents and their outcomes.