Cybersecurity is a critical challenge facing the healthcare industry globally. Along with phishing, ransomware ranks as a top threat to EHR security. A 2021 report by HIMSS uncovered that ransomware was the second-most common vector of cybersecurity incidents in the healthcare industry, comprising 17% of all breaches.
IT privacy and security breaches are costly. IBM estimates that the average cost of a ransomware attack is 4.62 million USD, not including the ransom price.
And the cost for home healthcare agencies is much higher once you include the impact of intangible and opportunity costs. The 2021 survey conducted by HIMSS found the top disruptions reported by healthcare organizations affected by cybersecurity incidents were:
- Disruption of systems and devices impacting business operations (32%)
- Data leakage (22%)
- Disruption of clinical care (21%)
While HIMSS notes that healthcare organizations typically spend 6% of their operating budgets on cybersecurity measures, this figure is often much lower at home care organizations, which may not even have an internal cybersecurity department.
The good news? Home care organizations can improve their EHR security measures by establishing a strong IT foundation, staff education and working closely with their software vendors.
We asked AlayaCare SVP, Legal and Risk Management and cybersecurity expert Richard Guttman for his top insights for home care agencies looking to strengthen their EHR security posture while maintaining interoperability - their ability to leverage the advanced clinical and financial benefits and interoperability provided by today’s leading EHRs.
What is ransomware?
Before diving into how home care organizations can safeguard their operations from ransomware, it’s essential to understand what it is.
Ransomware is a type of malicious software – colloquially known as malware that locks a target’s device, network and/or data. The cybercriminal behind the attack will keep the targeted assets locked down until the victim (usually an organization but can be an individual) pays a ransom.
While it was common for ransomware attacks to demand a one-time ransom payment, double-extortion ransomware attacks are on the rise. In these attacks, the victim must pay two ransoms – one to unlock the original stolen data and another ransom to prevent it from being stolen again.
According to IBM’s 2021 Cyber Resilient Organization Study, the majority of ransomware attacks are caused by:
- Social engineering tactics that prey on trust such as phishing (45%). These attacks either aim to steal IT valuables such as passwords and other credentials that allow attackers to steal data or other assets or give cybercriminals access to disrupt or corrupt a system.
- Insecure websites or software systems (22%). In this vector, hackers imitate a trusted website or application to bait users into entering sensitive details that they can then steal.
- Social media (19%). A common tactic involves hackers stealing a user’s credentials and then using their social media accounts to share malicious links.
- Malvertisements (13%). These are typically forced redirects to download malicious software via clicks on online advertisements.
Home care EHR security vulnerabilities
Home healthcare organizations can be particularly vulnerable to cybersecurity breaches and ransomware for a few reasons, notes Guttman. He cites the following risk factors as unique to the home care industry:
Mobile in-home delivery models – Many healthcare organizations, like hospitals and clinics, operate out of centralized locations where they can control IT protocols. In-home care, there’s less oversight into how staff access, review and save confidential health information.
Bring-your-own-device (BYOD) programs – When organizations supply mobile devices to staff, they have oversight into device settings, deployment of patches & updates and how the phone is used. Because BYOD is so common in the home care industry, agencies may be exposed to vulnerabilities throughout caregivers’ everyday use of devices during their employment. They may even be vulnerable after their employment ends without a guarantee that caregivers will wipe their phones.
Contractor-based workforce – Many home care agencies are hiring temporary W2 workers to address caregiver labour shortages. These contingent workers are employed through a staffing agency and engaged on a contract basis at home care organizations. By hiring temporary workers, agencies may have limited abilities to enforce IT and cybersecurity policies.
Legacy software systems - Unlike Software as a Service (SaaS) applications, hardware applications purchased once and installed on operating systems are more vulnerable to cybersecurity breaches. Software updates and bug patches are essential for maintaining a security posture. While the SaaS model ensures these updates are installed, this is not the case with hardware programs.
How agencies can improve their cybersecurity posture
While the threat of ransomware attacks is intimidating for any company, home care organizations have many tools and strategies to tighten their security measures.
“For us, it starts with customer education and transparency about the shared responsibility models at the core of SaaS EHR platforms,” shares Guttman. “It’s essential that organizations understand not only the infrastructure that they will be leveraging, but also how their provider implements a broad array of security and privacy measures to make it work for home care businesses. We often start with the basics, helping customers to map the flow of data in and out of the EHR system, assigning data categories and risk profiles. All good security and privacy programs, and compliance with data protection laws and regulations, begin here.”
“These data maps are the core of most risk assessments under privacy legislation,” adds Guttman. “Under HIPAA, one core tenet is that every healthcare provider and anyone touching PHI should understand what data they have, where it is in the system and what controls there are around it.”
To strengthen HIPAA-compliant EHR security and better understand their data assets, Guttman recommends that home care organizations:
- Carefully define the scope of PHI access rights and privileges granted to administrators, managers, caregivers, clients and family members
- Document all practices around storing and sharing PHI:
- Every location PHI is stored
- What devices are used to access it – and the protective infrastructure on these devices
- Where and how data is encrypted
- Conduct regular reviews of audit logs and audit trails to uncover any unusual system or user activity that may highlight unauthorized access to PHI
To ensure your team is informed about cybersecurity best practices and prepared to spot potential breach vulnerabilities, Guttman recommends that agencies implement the following training strategies:
- Find a service provider for HIPAA training and regular hold sessions for employees at every level of the organization
- Establish device and usage policies to ensure PHI is handled and stored correctly
- Run simulation phishing campaigns by educating staff about what phishing can look like and then testing if they’ll click a link in a fake phishing email
- Ensure that employees update their operating systems and software whenever new versions are released
The role of software vendors in cybersecurity
Because cybersecurity is a shared responsibility, home care agencies should lean on their software providers to ensure their most valuable assets – the personal health information of their clients – are protected.
“At AlayaCare,” says Guttman, “We share our security and privacy practices in cybersecurity to support our customers from the very beginning of our relationship.”
As a cloud-based SaaS provider to the world’s leading home care organizations, AlayaCare helps safeguard EHR security while maintaining interoperability by:
- Encrypting all data in-transit and at-rest.
- Minimizing local data storage whenever possible to ensure it’s not downloadable.
- Setting comprehensive access controls at the configuration phase with clients. This enables organizations to determine which users have access to what information. And more importantly – to track this through audit logs and audit trails.
- Following comprehensive breach protocols to investigate any potential security incidents. Since its inception, AlayaCare has had no data breach, neither external nor internal and no reportable violations of HIPAA or any other applicable privacy laws.
- Maintaining and rehearsing incident response plans, including protocol with insurers, law firms and each internal security response team member.
Getting proactive about cybersecurity
While cybersecurity is one of the most significant global challenges facing the healthcare system, home care agencies can implement several strategies to reduce their risk. And they don’t have to do it alone.
Cybersecurity is a shared responsibility between a healthcare provider, its clients and caregivers, and its EHR provider. When it comes to keeping home care clients’ PHI safe, agencies should ensure they’re working with a trusted software partner to help keep this critical information private.
Curious about what else you can do to enhance your security posture, especially to protect ePHI in and around your EHR systems, and prevent malicious attacks? Make sure you don’t miss our free guide to help home care agencies protect themselves from ransomware attacks. Subscribe to our email list to ensure you get it first.
If you’re interested in learning more about best practices in cybersecurity for home care organizations, you can catch SVP, Legal and Risk Management Richard Guttman’s presentation at the NAHC Home Care and Hospice Conference & Expo in St. Louis, Missouri this October.