ADVERTISEMENT
Providers and Patients Together Can Mitigate Increasing Cybersecurity Risks
Ransomware attacks and data breaches have caused catastrophic circumstances for already-strained healthcare systems, including providers of mental health and substance use disorder treatment, in recent years.
A recent Journal of the American Medical Association Health Forum analysis noted 374 healthcare-related ransomware attacks between 2016 and 2021 potentially impacted records of more than 40 million patients, including those treated by mental/behavioral health organizations. Healthcare data breaches affected roughly 50 million Americans in 2022.
Cybersecurity incidents range from phishing and spoofing, which trick victims into revealing private information, to ransomware using malicious software (malware) to prevent individuals or companies from accessing their own information—sometimes accompanied by a supposed a “promise” to restore access if a fee/ransom is paid to the perpetrator(s)—to network intrusions and data breaches and theft.
Healthcare is far from the only sector of the economy at risk from various forms of cyber threats—utilities, transportation providers, and financial services companies, among others, also face high risks. Federal, state, local, and tribal employees and government agencies also are being targeted.
But the sensitivity of health conditions makes compromise of such information especially disconcerting for patients, providers, and organizations. The American Medical Association (AMA) emphasizes in its Code of Medical Ethics that “[p]rotecting information gathered in association with the care of the patient is a core value in healthcare.” Many patients likewise feel strongly that providers and organizations should do their part to protect patient privacy. State and federal laws and regulations exist to safeguard patient privacy and confidentiality, including with respect to behavioral health. The behavioral health area is not exempt from the risks that impact the public health and healthcare sector.
On one level, it is hardly surprising that mental health and substance use disorder treatment organizations would be among those most at risk from cyber incidents. After all, healthcare accounts for nearly 18% of the nation’s gross national product. Stealing or unethically obtaining medical information can be profitable for alleged wrongdoers and costly (up to $8 million per incident) for companies and organizations involved. Within the behavioral health field alone, there are about 20,600 facilities offering mental health or substance use treatment or both, according to a recent survey published by the Substance Abuse and Mental Health Services Administration (SAMHSA).
Subject to certain exceptions, data breaches involving healthcare information from entities covered by the Health Insurance Portability and Accountability Act (HIPAA), which applies to most providers, must be reported to the US Department of Health and Human Services (HHS). The department maintains a list of breaches impacting 500 or more patients. Some entities not covered by the HHS breach notification rule, such as vendors of personal health records, may be subject to a similar Federal Trade Commission rule.
How Providers Can Protect Patient Data
While it is difficult to create a perfectly secure environment, it is possible for individuals and organizations to enhance their cybersecurity. A new National Cybersecurity Strategy and recently implemented enhanced cyber incident reporting requirements will help. The HHS Office of the Chief Information Officer’s Health Care Cybersecurity Coordination Center (HC3) provides information about current trends and threats, such as ransomware and electronic health records.
The Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, also offers important training and resources, including on cybersecurity best practices. As part of its Shields Up initiative, CISA offers suggestions for families, leaders, and organizations on reducing cyber threats. For organizations, maintaining up-to-date antivirus software, using multifactor authentication (MFA), which relies on more than just a password for accessing a network or website, and using free services from CISA can help. Working with outside/third-party vendors that provide services for an organization also is critical. For individuals and families, CISA advises steps enabling automatic updates for software, using MFA, and using strong, hard-to-guess passwords. Both HC3 and CISA offer briefs, regular alerts, and periodic webinars for individuals and organizations to stay up to date.
As providers strive to provide integrated, whole-person behavioral healthcare, protecting patient privacy will be paramount to earning and sustaining patient trust. Even seemingly small steps can go a long way toward protecting critical health records and mitigating the potential damage cyber incidents may cause both patients and providers.
Mitchell Berger, MPH, has worked on behavioral and public health issues, including behavioral health privacy, at the federal and local levels.
The views expressed in Perspectives are solely those of the author and do not necessarily reflect the views of Behavioral Healthcare Executive, the Psychiatry & Behavioral Health Learning Network, or other Network authors. The opinions expressed above represent the author’s personal views and should not be imputed to any other individuals nor to any public or private entities. Perspectives entries are not medical advice.
References
