According to IBM’s Cost of a Data Breach study, the average cost of data security failures is nearly $4 million — and that doesn’t quantify the impact on consumer confidence. In the health care industry, that translates into two primary concerns for patients: that their private information is safe, and that their care won’t be negatively affected by cyber attacks or other events.

“As health care institutions strive for new ways to drive patient experience, they want that experience to be as valuable as possible,” says Lee Waskevich, vice president of security solutions at ePlus Technology, a network, storage and security solutions company. “And that takes new applications and new ways of interacting with the client, which puts data in a lot of different places. Preventing unauthorized access is critical.”

Inside and outside threats

The range of events that can negatively impact patient data — and thus degrade the patient experience — is broad, including direct attacks via malware or ransomware as well as indirect factors like unpatched systems or insufficient backup and recovery plans. And the data put at risk by these factors is quite valuable.

“Patient data is the most valuable data asset available on the black market,” notes Sonia Arista, national health care practice director at Fortinet, a network security and threat management company. “Those patient records can be parceled out to sell in multiple ways.”

“Make sure that there’s a defined process complemented by a strong security architecture.”

Waskevich believes anyone charged with protecting patient data and the value of the patient experience must think seriously about the state of their organization’s security posture.

“At ePlus, we recommend going down a path of assessing cyberattacks as a business risk and following a cybersecurity framework that can help you outline where the data exposure risks are,” he says, “and also having preventative measures in place identifying different aspects of malware or insider threats where people are accessing data they shouldn't be.”

This should include robust training and education for staff, according to Arista. “Education and awareness campaigns within an organization should focus on fundamental good habits related to IT security: not sharing credentials, logging off terminals and devices when they’re done with their session and making sure any emails they receive that look out of place or odd go unopened.” Such policies also need an emphasis on workflow habits around document handling.

And according to Ken Puffer, the chief technology officer for health care solutions at ePlus, patients are paying attention. “It starts from the time patients walk onto the property. How visible are the security measures? They’re as concerned about physical security as much as information security.” These concerns are underscored by a recent study from the University of California that found potentially hundreds of patients had experienced “adverse events” resulting from ransomware malware, or attacks compromising electronic health records (EHRs).

One guy

Securing that patient experience has gotten more complicated, but the solution is straightforward. “Make sure that there’s a defined process complemented by a strong security architecture,” Waskevich stresses. “One that's very interoperable and collaborative across itself, sending up a signal when something is amiss. Then having a proper reaction plan can help minimize any damage.”

Waskevich also notes that organizations often don’t think about what happens after an attack or failure. “A lot of things boil down to one guy — and that same guy is fixing things as well as trying to keep people abreast of the situation that's going on. Making sure that there's a team of individuals involved, along with proper communication channels, and that this plan is tested just the same way that you would test a physical outage — like power or communications — is crucial.”

Patients are paying more and more attention to how their private information is handled and their overall experience. Securing that experience means investing in preventative as well as reactive measures to protect that data — because in the health care industry, lives are literally on the line.