Winter 2025 Issue

Data Security: Protecting Patient Data
By Agapito “Aga” Morgan
For The Record
Vol. 37 No. 1 P. 28

Health care organizations can protect patient data in a myriad of ways.

While cybersecurity is a new frontier for many health care organizations, providers must address it seriously and urgently to protect their data, systems, and networks from unauthorized and malevolent users. Health care providers must be able to embrace and leverage the operational efficiencies, cost, waste reduction, and improved patient outcomes afforded by modern technology and innovations without fear of cyber threats. The only way to ensure cybersecurity is by establishing and maintaining a comprehensive strategy to combat these attacks.

Here are a few practical steps health care organizations can follow to build a robust cybersecurity platform.

Conduct a Risk Assessment
There is no such thing as a one-size-fits-all cybersecurity solution that will protect every organization indefinitely. A successful strategy requires a bespoke, multipronged approach. That’s why the first step in developing an optimal cybersecurity strategy is to conduct a holistic risk assessment to understand exposure and pinpoint vulnerabilities. Questions that should be asked during the risk assessment include the following:

• Where is encryption being utilized?
• Are user roles being employed effectively to limit access to sensitive information?
• What third-party technology and solutions are in use that could provide cybercriminals access to essential systems?

This exercise will serve to identify all of the potential entry points that hackers could exploit to carry out an attack.

Build a Defensive Toolkit
Next, health care organizations should take what they learned from the risk assessment and develop a defensive toolkit. The most basic tools in that toolkit will be traditional defenses, such as encryption and firewalls, that will serve as the foundation for more advanced solutions. Cyber attackers are becoming more sophisticated, leveraging automation and artificial intelligence technologies to find, create, and exploit entry points into a system or network. An effective defensive toolkit will “fight fire with fire,” using the same tools as hackers to defend against attacks and eliminate vulnerabilities.

Prevent and Prepare
When it comes to cybersecurity, companies have to get it right all the time, while cybercriminals only have to get it right once. Inevitably, an attack will get through, and unfortunately the biggest vulnerability in any organization is its people. Sophisticated cyberattacks often begin with a barrage of simple phishing emails that aim to get an employee to share sensitive information like a password, account number, or login. These attacks often target lower-level workers who may be less savvy about cyberthreats and less likely to alert managers or authorities if they fall victim to an attack.

This is why organizationwide education, preparation, and planning is essential, and cyberthreat training must be standard in all employee onboarding. Training of new and current workers should include guidance on how to recognize the signs of a “successful” breach, reassurances that the employee won’t face consequences for reporting the breach immediately, and steps on how to act right away to mitigate the damage and spread of the attack and alert colleagues.

Free Resources
Large institutions have internal teams that can respond to these threats, but smaller health care providers with limited resources may be more exposed. However, leveraging the right tools is enough to build a defensive platform. Even small institutions that lack the ability to change policies or afford a robust IT team can access resources and technology to protect themselves.

The US Cybersecurity & Infrastructure Security Agency, for example, offers a free online toolkit and resources for organizations in the health care and public health sector. In addition, Health and Human Services (HHS) administers the HHS 405(d) Program to align security practices across the health care industry. The program provides tools, documents, and educational resources aimed at improving cyber hygiene—practices and habits that promote good cybersecurity—within organizations large and small.

Prioritize HIPAA Compliance
Health care consumers have an expectation that their personal information won’t be misused by providers, and in 1996, the federal government enshrined that expectation into law with HIPAA. The legislation spells out patient rights and the stiff civil and criminal penalties individuals and organizations can face for violating them. For this reason, a health care organization’s cybersecurity strategy must not only align with its own needs, but with the requirements laid out by HIPAA, as well.

Education is an essential part of the strategy. Informational seminars are the best opportunity to teach health care organizations about the interdependence between cybersecurity and HIPAA. Understanding how these components, from the technology to the regulatory side, work together is an important educational tool that encourages providers to invest in programs and policies that proactively combat threats and increase security.

Leverage Third-Party Experts
Implementing the steps above will undoubtedly make a health care provider’s staff, patients, equipment, and records more secure. But the unfortunate reality is that cybercriminals will never stop trying to bypass the security measures their targets put in place. That’s why health care organizations should consider partnering with a specialist cybersecurity consultant and technology provider whose job is to stay up to date on the latest cyberthreat tools and techniques and continuously update their clients’ platforms accordingly. These experts can also help organizations establish a defensive program and respond to attacks when they happen.

Quality Care for Personal Information
For health care organizations today, providing “quality care” means caring for not only the patient but their personal information, as well. Unfortunately, cybercrime is constantly evolving, so the tactics and tools providers use to thwart attacks must evolve. The stakes in this constant battle couldn’t be higher. Recent attacks have proven cybercriminals don’t care about the health and safety of individuals working in or being treated by the facilities they target.

Cybersecurity is a life-or-death issue for health care providers, and organizations need to treat it as such. Establishing and maintaining a cybersecurity strategy should be a top priority. The good news is that, with a methodical and strategic approach and a little outside help, any organization can improve their cybersecurity and become better prepared to respond to attacks.

— Agapito “Aga” Morgan is commercial health care leader at KeyBank. He also serves as cochair of the Commercial Bank’s Diversity, Equity, and Inclusion Council and as a member of KeyBank’s Commercial Credit Risk Committee. Morgan holds Series 79 and 63 licenses.