Cultivating digital resilience: The crucial role of cyber hygiene, Part 1

In this climate of pervasive security threats and attacks, good cyber hygiene can bolster your organization's defenses, protect sensitive data, and build digital resilience.

Cybercrime is pervasive in the digital age, with cybercriminals constantly changing and advancing their techniques. In response, cybersecurity strategies must be proactive and adaptive. It isn’t enough to combat cyberthreats; organizations must work to maintain good cyber hygiene.

What is cyber hygiene?

We all understand the importance personal hygiene habits like washing hands and flossing to support physical health. Cyber hygiene habits are a set of practices to help fight against cyber threats, protect sensitive information, create resilience in digital systems, and enable a healthy, secure digital environment.

Let’s take a closer look at the benefits of good cyber hygiene habits, and the role they play in fortifying an organization's defenses.

Safeguarding sensitive data

At the heart of cyber hygiene lies the protection of sensitive data. All organizations deal with confidential information, from employee data to proprietary business plans. Cyber hygiene practices like encryption, regular backups, and access controls shield this valuable information from unauthorized access.

Preventing data breaches

Security incidents, like data breaches, can have severe consequences. They tarnish reputations and lead to crushing financial costs. Cyber hygiene best practices like regular security audits build a robust defense against potential breaches.

Mitigating insider threats

Insider threats, even when they aren’t deliberately criminal, put organizations’ systems and data at risk. Cyber hygiene measures, such as least privilege access, minimize the impact of insider threats to help maintain a secure digital environment.

Adapting to evolving threats

Today’s cybercriminals are dynamic, using sophisticated and evolving technologies to breach defenses. Regularly updating security protocols and staying aware of emerging threats help organizations adapt to the ever-changing threat landscape.

Ensuring regulatory compliance

In a time of stringent data protection regulations, good cyber hygiene is essential to ensure regulatory compliance. Organizations need measures such as data encryption and incident response plans to meet the requirements of data protection laws and standards.

Preserving business continuity

Cybersecurity incidents disrupt business operations, leading to downtime and loss of productivity. Cyber hygiene measures, including disaster recovery plans and regular system backups, help preserve business continuity by minimizing the impact of potential disruptions.

How can organizations ensure good cyber hygiene?

Good cyber hygiene results from a comprehensive cybersecurity strategy that incorporates the following best practices.

Build a security-conscious culture

Good cyber hygiene requires continuous education and awareness. Employee training on cybersecurity best practices and shared responsibility builds a workforce that actively helps to protect your digital assets.

Strong password policies

Make the use of complex, unique passwords compulsory, along with regular password changes. Using multifactor authentication adds an extra layer of security.

Privileged access management

Implement a privileged access management solution to manage and control access to privileged accounts. This helps prevent unauthorized access and ensures that employees only have the privileges they need.

Data encryption

Encrypt sensitive data, both in transit and at rest. Encryption adds an extra layer of protection to prevent unauthorized access to confidential information.

Regular security audits and vulnerability assessments

Conducting regular security audits and assessments identifies potential weaknesses before they can lead to security incidents. Proactively addressing vulnerabilities enhances overall cyber resilience.

Secure network configuration

Securely configure networks, limiting access, and segmenting sensitive data. This minimizes your attack surface and your vulnerability to security breaches.

Collaboration with cybersecurity experts

Engage with cybersecurity experts, consultants, or services to stay on top of the latest threats and best practices. Collaborating with experts can provide insights and guidance tailored to your specific needs.

Implement good cyber hygiene habits at your organization

The importance of good cyber hygiene can't be overstated. Cyber hygiene is the foundation of a secure and resilient digital infrastructure. It safeguards sensitive data, helps prevent breaches, and fosters a culture of security. Integrating cyber hygiene into daily operations is key to successfully navigating the complex digital landscape.

Learn how the Imprivata access management suite of solutions can help you follow good cyber hygiene at your organization – and stay tuned for Part 2 of this two-part deep dive into cyber hygiene.

Level up your security, privacy, and compliance
Imprivata Enterprise Access Management (formerly OneSign) Certification Program (Jun 10 - 13, 2024)
Patient misidentification is a huge problem, and biometric technology holds the solution

Patient misidentification is on the rise and can have deadly consequences. Find out more about this problem, and why facial biometrics are the solution.

In the United States and across the globe, healthcare and computers are inextricably linked. And most patients assume that check-in procedures ensure that all diagnoses, prescriptions, and test results will be linked to their identity and properly compiled in their medical records.

Sadly, it doesn’t always work that way. Patient misidentification is a growing concern, and the consequences can be fatal. It’s time for healthcare organizations to double down on ensuring positive patient identification, because accurate patient identification is so critical to the delivery of care.

How can they do that? With biometric patient identification technology.

Why is patient misidentification so common?

The increased demand for medical care during and after the pandemic, combined with a nationwide nursing shortage, has healthcare systems strained and stretched thin. Consequently, mistakes happen. Manual patient identification methods, like names and dates of birth, are also easily prone to errors that lead to duplicate records. Sometimes errors are due to staff mistakes, and sometimes patients provide outdated and incorrect information.

Even when information is accurate and entered correctly, identifiers like names and dates aren't always unique to one patient. Furthermore, manual identification methods don’t easily facilitate data exchange between providers or healthcare systems. Relying on manual processes in an increasingly connected healthcare landscape hinders continuity of care. It also makes providers and patients more susceptible to identity theft and fraud.

The problem of duplicate records and insurance claim denials

In addition to a strained healthcare ecosystem, the widespread merging of healthcare providers and systems contributes to the increase in duplicate patient records. Ten percent of patient records at the average hospital are duplicates, according to The American Health Information Management Association (AHIMA). Other research studies back up the number. But a 2021 Black Book study reports that an average of 24% of healthcare organization records are duplicates.

Duplicate patient records lead to patient misidentification, which creates massive financial burdens for healthcare providers. Rates of accurately matching patients to their medical records can be just 80% within a single care setting, and as low as 50% in organizations that share electronic health information. According to Black Book, approximately 35% of denied claims are a result of inaccurate patient identification. This leads to an average annual cost of $2.5 million per hospital, and $6.5 billion across the US health system. Another study estimates the average per-hospital loss to be $17.4 million annually.

Tragic consequences for patients resulting from misidentification

The consequences of patient misidentification are more than just financial. Imagine a patient named Sarah. She undergoes routine blood tests to monitor her cholesterol levels. Unfortunately, due to a clerical error, her test results are mixed up with another patient's. As a result, Sarah's cholesterol levels are misinterpreted as high, leading to unnecessary medication. It takes several weeks to discover the error, causing Sarah unnecessary stress and inconvenience. While this error had relatively minor consequences, it highlights the dangers of patient misidentification, as errors related to more severe diagnoses, like cancer, can have devastating effects on patient health and treatment outcomes.

One small error can cost a life. In fact, medical errors are the third leading cause of death after heart disease and cancer.

Patient misidentification can lead to treatment delays, misdiagnosis, medication errors, and privacy breaches. Identification errors put patients a risk and work against healthcare organizations already struggling to survive.

So, what can be done to remedy this problem and its catastrophic consequences?

Facial biometrics: the solution for patient misidentification

Now is one of those times in history when a technology is invented or advanced in response to a pressing need. Facial recognition technology increases accurate patient identification, reduces duplicate records, and improves data integrity.

Facial recognition technology isn't new — many people already use it to securely access their smartphones. What is new is advancing and implementing this technology for healthcare. The distinctive characteristics of a face, such as the distance between the eyes, can be used to create a unique identifier for accurate patient identification. This unique identifier can be linked to patients’ digital records, reducing duplicates and creating a more comprehensive and standardized electronic health record (EHR).

Biometric patient identification dramatically increases efficiency and helps organizations realize more value from their electronic health record (EHR) system. Touchless verification and patient record matching streamlines patient check-ins and reduce duplicate records. This not only saves time for patients, but also enables clinicians to maximize the benefits of the EHR while improving patient safety. Facial recognition also avoids human error and protects patient privacy by eliminating manual identification.

Safeguarding patients and providers with biometrics

More healthcare organizations are adopting mobile devices to streamline workflows and improve access to patient information. And many are using facial biometrics for secure, passwordless, mobile authentication for clinicians. This quick, simple solution means security protocols are no longer a hindrance that clinicians often work around in unsecure ways. Instead, security hinges on a simple step that integrates with what clinicians are already doing — looking at their mobile screens.

Plus, millions of smartphone users already trust facial biometrics to protect the personal data in their phones – it isn’t much of a leap to trust the technology with their protected health information (PHI). Biometrics can not only revolutionize patient identification, but also advance patient safety, security, and privacy.

Biometrics in 2024 and beyond

Facial biometric identification is a convenient, accessible, and intuitive solution. It improves data accuracy, streamlines workflows, optimizes EHR systems, and enhances patient safety. It also improves patient experience in a very straightforward way — by reducing patient wait times. Research shows that 84% of healthcare consumers report wait time at the doctor’s office as either “somewhat important” or “very important” to their overall patient experience.

As facial biometric technology continues to advance, it will play a key role in reducing patient misidentification and improving the quality of patient care. Read our datasheet on Imprivata Biometric Patient Identity to learn about our first-of-its-kind facial recognition and record matching technology.

Partially offboarded healthcare employees: Risks and remedies

Failure to properly offboard employees exposes healthcare organizations to serious security risks. Learn about these risks and how to avoid them with identity governance.

When an employee departs, does your data stay put? Employees can leave an organization for a variety of reasons, and managing their departures is an integral part of business dynamics. Yet, the potential security hazards posed by staff departures loom large. Insufficient offboarding procedures make healthcare organizations more vulnerable to cybersecurity risks, from careless mishaps to calculated, malicious actions.

High turnover rates and layoffs only add to the security pressures of offboarding. Sometimes staff depart at short notice. Healthcare organizations need to already have solutions in place to avoid the risks of improperly offboarded employees. For example, if organizations don’t have the full picture of all employee identities and assets, a former employee could retain privileged access to exploit down the line.

Key concerns associated with partial offboarding

Partially or improperly offboarding employees is like leaving the front door open and your valuables exposed. Here are some of the key associated risks:

  1. Unauthorized access: Employees who are only partially offboarded may retain access to critical systems, applications, or sensitive data. This leaves your organization vulnerable to unauthorized access, data breaches, and potential misuse of information.
  2. Data leakage: Former employees who retain access to sensitive data increase the risk of data leakage. Whether this is patient records, financial information, or intellectual property, leakage jeopardizes the confidentiality and integrity of your assets.
  3. Insider threats: Former employees with lingering access may unintentionally or intentionally pose insider threats. They can misuse their access privileges due to dissatisfaction or external coercion.
  4. Compliance violations: Regulatory compliance is obviously crucial in the healthcare industry. Improper offboarding can result in non-compliance with data protection regulations like the Health Insurance Portability and Accountability Act (HIPAA). It can also bring severe penalties and legal consequences.
  5. Reputation damage: Security incidents stemming from partially offboarded employees can harm your organization's reputation. News of data breaches or leakages of sensitive information can erode trust among clients, partners, the public, and most importantly – patients.
  6. Intellectual property risks: In industries where intellectual property is vital, such as healthcare research and development, partially offboarded employees may retain access to proprietary information, putting intellectual assets at risk.
  7. Operational disruption: Partial offboarding can also disrupt normal operations. Investigating and remediating security incidents can lead to downtime and potential financial losses.
  8. Ineffective incident response: Partially offboarded employees can be difficult to identify as the source of a security incident. This delays your organization's ability to contain and mitigate security threats.
  9. Credential exploitation: Lingering access provides opportunities for hackers to exploit credentials. Using legitimate accounts for unauthorized entry makes it harder to detect and respond to security incidents.
  10. Complex access management: Managing access for partially offboarded employees becomes a complex task, especially in large organizations. This increases the likelihood of oversights and errors, exposing the organization to security vulnerabilities.

Avoiding the risks of partially offboarded employees

To address the risks discussed above, organizations should prioritize strong offboarding processes. Automation and integration between HR and IT systems also support efficient and secure offboarding procedures.

A robust identity governance solution should allow organizations to securely manage access rights, ensure regulatory compliance, and minimize risks. Most of all, it will help fortify the data security essential to quality healthcare delivery. In an industry where patient confidentiality is paramount, identity governance is an ally to navigating workforce transitions with confidence and precision.

Let’s take a closer look at the necessary identity governance capabilities and their benefits.

Immediate access revocation

Identity governance solutions should enable healthcare organizations to swiftly revoke access privileges when an employee leaves. This mitigates the risk of unauthorized access to sensitive patient data or critical systems, and ensures compliance with data protection regulations.

Comprehensive access review

With the complex network of systems and applications in healthcare, identity governance should facilitate a thorough access review during offboarding. This ensures that no access permissions remain, reducing the potential for security gaps and protecting against insider threats.

Regulatory compliance assurance

Healthcare organizations operate within a regulatory framework requiring stringent data protection. Ideally, identity governance solutions should provide an auditable trail of access changes to ensure offboarding adheres to industry regulations.

Reduced human error

Automating the offboarding process through an identity governance solution minimizes the risk of human error. Advancing past manual system access management significantly reduces the odds of overlooked or incomplete de-provisioning.

Efficient workflow integration

Identity governance solutions should seamlessly integrate with existing HR and IT workflows. Allowing for automated communication between departments helps reduce administrative burdens and ensure an efficient transition.

Customizable access policies

Every healthcare organization has unique roles and responsibilities. A robust identity governance solution allows for customizable access policies. Tailoring access rights to specific job roles makes the offboarding process more granular and precise.

Enhanced security posture

Identity governance for offboarding elevates your overall security posture. Proactively managing employee identities minimizes the opportunity for cyberattacks, and it helps to meet increasingly challenging cyber insurance requirements.

Clear and comprehensive offboarding with identity governance

In healthcare organizations, the benefits of identity governance for offboarding extend beyond efficiency. They provide a secure mechanism to manage access rights, ensure compliance, minimize risks, and fortify the data security essential to patient confidentiality. Identity governance safeguards data and systems, maintaining patient trust and supporting enhanced care quality.

Learn how Imprivata Identity Governance and Administration (formerly Imprivata Identity Governance) can help minimize offboarding security risks.

7 HHS best practices to mitigate healthcare cyber threats

As cyber threat frequency and severity continue to grow, the HHS has stepped into the picture. Here’s a look at recent settlements announced by the HHS and its best practice recommendations to mitigate threats. 

Cyber threats pose a significant risk to the healthcare industry due to the sensitive nature of patient data. And the threat is only growing. In fact, there’s been a 256% increase in large breaches reported to the U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the last five years.

As a result, the OCR has begun to step in, first announcing a settlement with a Massachusetts-based medical management company resolving potential violations from a 2018 ransomware attack. The OCR has more recently announced its second settlement, with a HIPAA-regulated entity that fell victim to a ransomware attack in 2019, compromising the protected health information (PHI) of over 14,000 individuals.

These settlements highlight the increasing prevalence of ransomware as a significant cyber threat in the healthcare sector. Considering this growing threat, the OCR has released recommendations for best practices to help mitigate the risks of cyber threats:

  1. Vendor and contractor relationships

    Healthcare organizations should review all vendor and contractor relationships to ensure that appropriate business associate agreements are in place. These agreements should address breach and security incident obligations, ensuring that all parties involved are committed to protecting sensitive data.

  2. Risk analysis and management

    Organizations should also integrate risk analysis and risk management into business processes with regular assessments, especially when implementing new technologies or business operations. This proactive approach helps identify vulnerabilities and implement appropriate security measures.

  3. Audit controls and information system activity

    By implementing audit controls to record and examine information system activity with regular reviews, healthcare organizations can promptly detect any suspicious or unauthorized access attempts.

  4. Multifactor authentication

    To ensure only authorized users access protected health information, healthcare organizations should implement multifactor authentication. This additional layer of security can help prevent unauthorized access, even if login credentials are compromised.

  5. Encryption of PHI

    By encrypting protected health information, organizations can ensure that even if the data is intercepted, it remains unreadable and unusable to unauthorized individuals.

  6. Incorporating lessons learned

    Organizations should learn from previous incidents and incorporate those lessons into their overall security management process. This continuous improvement approach helps strengthen security measures and better protect against future cyber threats.

  7. Workforce training

    Employees should be aware of their critical role in protecting privacy and security. Organizations should provide regular training on HIPAA policies and procedures, tailoring approaches to specific needs and job responsibilities.

Healthcare organizations can help mitigate cyber threats by ensuring HIPAA compliance and adhering to the HIPAA Security Rule, which requires implementation of security measures that can help prevent the introduction of malware, including ransomware. They’ll also benefit by reviewing OCR recommendations and making changes to their policies and procedures as necessary. By implementing robust security measures, conducting regular risk assessments, reviewing processes, and ensuring workforce awareness, organizations can better safeguard sensitive patient data from cybercriminals.

Learn more about strategies and practices to help mitigate cyber threats.

Privacy Monitoring Best Practice
3 strategies for reducing clinician burnout with EHR optimization

Clinician burnout is a serious issue with significant financial consequences. Discover lists three practical strategies to lessen early-stage burnout by enhancing electronic health record (EHR) experience.

In recent years, burnout rates have significantly increased among clinicians, with physicians and nurses being most affected. In 2019, between 35 and 54% of U.S. nurses reported symptoms of burnout, and in 2021, more than three out of five physicians reported at least one burnout symptom.

The pandemic is often cited as the reason for this, and it's certainly a contributor. A study of U.S. data collected only up to November 2020 reported the resulting incidence of post-traumatic stress disorder to be at 49%. But clinical burnout also stems from problems that existed long before the pandemic – the healthcare needs of an aging population, funding limitations, demanding workdays, and so many healthcare workers aging out of their jobs, all contribute.

3 ways to prevent clinician burnout

Burnout can have significant financial consequences for organizations. KLAS research estimates that each burned-out physician equates to an $80,000 decrease in revenue. Furthermore, the study reveals that burnout severity directly influences how likely clinicians are to leave an organization within the next two years. You can see how quickly things could get out of hand.

The fact is, preventing burnout in the early stages is far more effective than attempting to reduce it once clinicians are already suffering. So how can organizations accomplish that?

Well, a study involving 20,200 physicians and 32,782 nurses found that enhancing electronic health record (EHR) efficiency can help alleviate early-stage burnout. And luckily, this is an achievable goal.

Here are three ways your organization can reduce clinician burnout by boosting EHR optimization.

1. Provide day-one access to EHR modules and capabilities

Efficiently granting application access is crucial for new hires to succeed. However, managing access rights across multiple systems can be challenging, leading to delays of days or weeks. Even after a user is granted access, that access may not precisely align with their needs. And the resulting delays can impede clinicians from fully utilizing the EHR, reducing user satisfaction and creating barriers to patient care.

Furthermore, access needs are ever-changing. User workflows may change over time due to attrition, role changes, or promotions. Users with inappropriate permissions constitute a severe security risk – one that often persists after an employee leaves an organization. Research found that 89% of employees could still access sensitive corporate applications well after their departure.

2. Streamline access to applications and the EHR

Every time a clinician engages with a patient, they first need to log in by entering their username and a complex password. Clinicians can spend up to 45 minutes logging in up to 70 times a day, creating password fatigue and frustration. This also disrupts clinicians’ focus on the task at hand, adding to mental strain and contributing to burnout. That’s why it’s so critical to automate access management workflows.

In addition, EHR systems are constantly evolving to introduce valuable new features and workflows. Security needs can hinder adopting such features. Many workflows — such as medication administration and break the glass — require repetitive authentication with usernames and passwords. As a result, security barriers reduce the value these workflows could otherwise offer.

Some EHR capabilities, such as EPCS (electronic prescribing of controlled substances), require even stronger authentication methods. This can create additional inefficiencies and increase frustration. By expediting access with badge-tap SSO, CHRISTUS Health reduced clinical authentication time by 70%, saving approximately $3.2 million in annual revenue.

3. Support patient care at the bedside with seamless mobile workflows

Healthcare organizations are adopting mobile technology to improve workflows and deliver real-time access to tools and information from any location at any time. However, mobile environments can also create barriers to use that hinder organizations from optimizing their investments.

According to a recent survey, clinicians use around six different applications on a shared mobile device per shift, accessing each approximately 25 times. Having to repeatedly input usernames and passwords to unlock mobile devices and access applications naturally contributes to burnout. Furthermore, to ensure the flexibility of strong authentication workflows like EPCS, workflows should be supported on mobile devices as well. Yale New Haven Health System recently enhanced clinician experience by implementing seamless badge-tap access to 6,000 shared smartphones. This move also optimized mobile productivity and ROI.

Transform the clinical experience

Vendors will continue to introduce new capabilities and modules that benefit clinicians and patient care — if they can be easily accessed. Otherwise, innovations become just another factor contributing to burnout. Organizations must invest in optimizing their EHR to prevent clinician burnout in its early stages, when it has the most impact.

Our eBook, Maximizing the value of your EHR, demonstrates how digital identity solutions can deliver a seamless user experience that boosts EHR adoption and clinician satisfaction — without compromising security.

5 reasons clinician involvement is the key to optimizing EHRs
HHS ruling brings new substance use disorder privacy regulations for April 2024

A recent HHS ruling aims to better align Confidentiality of Substance Use Disorder Patient Record regulations with HIPAA. Here’s a look at the changes, benefits, and challenges.

In a significant move to address the growing concerns surrounding the privacy of individuals seeking treatment for substance use disorders, the U.S. Department of Health and Human Services (HHS) has recently issued a rule to align the Confidentiality of Substance Use Disorder Patient Record regulations (42 CFR Part 2, also known as Part 2) with the Health Insurance Portability and Accountability Act (HIPAA). This development aims to strike a balance between safeguarding patient privacy and ensuring the effective exchange of information for treatment purposes. Let's dive into the details of this rule and its potential impact on healthcare providers and patients.

Background: Inconsistent privacy regulations

Historically, privacy regulations for substance use disorder records, governed by Part 2, have been more stringent than those under HIPAA. These stricter regulations were initially implemented to encourage individuals to seek treatment without fear of their information being disclosed and potentially leading to negative consequences, such as discrimination or legal repercussions. However, this created challenges for healthcare providers who needed access to comprehensive patient information to provide effective care.

Key changes and implications

The new HHS rule aims to harmonize the privacy regulations for substance use disorder records with HIPAA. This alignment will allow for better coordination of care, improved patient outcomes, and enhanced integration of substance use disorder treatment into mainstream healthcare. The new ruling will take effect on April 16, 2024, with a two-year deadline for entities subject to the regulations to comply, and includes:

  1. Consent requirements | Under the revised rule, patients can provide general consent for the disclosure of their substance use disorder information. This consent will allow healthcare providers to share relevant information with other entities involved in the patient's care, ensuring a more holistic approach to treatment.
  2. Redisclosure prohibition | The HHS rule strengthens the prohibition on redisclosure of substance use disorder information. This means that entities receiving such information are prohibited from further disclosing it without explicit consent from the patient, except in specific circumstances outlined in the rule.
  3. Integration with electronic health records (EHRs)| The rule encourages the integration of substance use disorder treatment records with EHRs, facilitating seamless information exchange and promoting a more comprehensive understanding of a patient's medical history.
  4. Research and audit purposes | The revised rule allows for the disclosure of substance use disorder information for research and audit purposes, provided certain safeguards are in place to protect patient privacy.
  5. Breaches and penalties | Part 2 now aligns with HIPAA in the areas of breaches, patient notification requirements, and penalties. This includes the same requirements as the HIPAA Breach Notification Rule, HIPAA Notice of Privacy requirements, and civil monetary fines and criminal enforcement currently applied to HIPAA violations.

Benefits and challenges

The alignment of substance use disorder privacy regulations with HIPAA brings several potential benefits. It enables healthcare providers to have a more complete picture of a patient's medical history, leading to improved treatment outcomes. It also facilitates better coordination between substance use disorder treatment providers and other healthcare professionals, ensuring a more integrated approach to care.

However, challenges may arise in implementing these changes. Healthcare organizations will need to update their policies and procedures to comply with the revised regulations. As part of that, ensuring proper training and education for healthcare professionals regarding the new rules will be crucial to avoid any inadvertent breaches of patient privacy. Ensuring record access to this sensitive patient group is monitored and protected can help with new regulation compliance.

This new policy alignment represents a significant step forward in balancing patient privacy with the need for effective care coordination. By streamlining the exchange of information, the rule aims to enhance the quality of substance use disorder treatment and promote better patient outcomes. As healthcare providers adapt to these revised regulations and ensure compliance, it's essential to prioritize patient privacy to foster a more integrated and patient-centered approach to care.