The Healthcare Hub

The Healthcare Hub blog focuses on how greater collaboration and visibility across the supply chain can improve both clinical and financial performance in healthcare. Working with hospitals, manufacturers, distributors and group purchasing organizations (GPOs) in North America and Europe, GHX provides a global perspective on issues such as healthcare reform, standards adoption, automation, e-commerce and demand planning, among others.

Connie Emery

Director Compliance and Enterprise Risk Management, Privacy Official
Tuesday, December 20, 2016

How to Prepare for a Healthcare Hack

For hospitals and health systems today, it’s not a matter of WILL my organization get targeted by hackers but WHEN. Nearly 90 percent of healthcare organizations surveyed by the Ponemon Institute for its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data experienced a data breach in the past two years, and nearly half (45 percent), had more than five data breaches in the same time period.1

If you are a healthcare organization, you need to prepare for responding to a hack. This preparation should include the following:

  • A risk assessment of your organization, including who has access to protected health information (e.g. employees, business associates) and areas where you are vulnerable to an attack (e.g. portable devices such as laptops and smartphones).
  • Training for everyone within your organization on what they need to report (e.g. stolen or lost laptop) and a method for reporting these incidents.
  •  A developed and tested incident response plan that includes:

1. a description of your incident response process including responsible parties

2. a description of your incident analysis and risk assessment process 

3. identification of notification requirements

4. a post-incident analysis and corrective action plan

Just because healthcare data hacking is on the rise doesn’t mean you should just sit back and wait for it to happen to your organization. Be proactive with your data security – audit yourself to uncover areas of vulnerability, determine what data sources are sensitive/valuable, and start with the basics – such as improving the strength of passwords – and work from there toward greater security measures to protect your patients.

Read this case study to learn how Eskenazi Health, a 315-bed hospital in Indianapolis, has improved compliance with the HIPAA Final Omnibus Rule and become better prepared for an OCR audit.



Compliance and Credentialing