Ensuring Data Security: Managed IT Strategies for Boise Healthcare Facilities

Idaho’s population is growing fast, and its healthcare providers are overworked. The state ranks last in the nation for the number of doctors per capita. Many nurses in the state will be retiring soon, and plenty of doctors are still burned out after the pandemic. Medicaid is under threat, and the risk of cyberattacks is increasing.

Cyberattacks in the US on healthcare providers more than doubled between 2022 and 2023, making data security critical. The American Hospital Association warns that medical providers are a prime target for cyber criminals, as stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. The average healthcare data breach has reached $10.93 million, nearly double that of other industries.

Thieves are looking to steal patients’ protected health information (PHI), financial information, and personally identifying information (PII), such as Social Security numbers. In response, the Department of Health and Human Services (HHS) is updating cybersecurity requirements in healthcare. This includes working with Congress to increase the amounts of civil monetary penalties for HIPAA violations and to expand its investigative capabilities around incidents.

Data security in healthcare is imperative to protect patient trust, prevent system disruption, and avoid endangering human life. But healthcare providers, especially small and midsize providers, often struggle to find the time, money, and IT talent to build and manage comprehensive safeguards. And many medical devices are connected to the internet which makes them possible attack vectors. These devices may not support data encryption, which could allow unauthorized users to connect to them.

After a cyberattack, healthcare providers need to go back to paper-and-pencil processes and/or are unable to access medical systems and data, causing them to send patients to other facilities.

Traditionally, sophisticated cybersecurity solutions have been designed for large enterprises, leaving small and midsize businesses (SMBs) to fend for themselves. Many medical facilities are turning to managed service providers (MSPs) for customized, affordable options for helping with data security and IT compliance.

Understanding the Stakes: Data Security in Boise Healthcare

The Risks to Healthcare Data

Common cyberattacks that lead to data breaches include phishing, ransomware, and supply chain attacks. The 2024 Ponemon Healthcare Cybersecurity Report found that, due to cyberattacks, 66% of healthcare providers reported disruption to patient care, 57% reported poor outcomes due to delays in procedures and tests, and 50% reported an increase in medical procedure complications.

Losses from phishing attacks were more than $18 million in 2023 alone. Phishing messages look and sound like they’re from a trusted source but are designed to trick recipients into clicking malicious links, opening infected attachments, and/or sharing login credentials, financial data, and other sensitive information. All it takes is for one clinician to click a link in a phishing email and enter their login credentials to a fake website. Cybercriminals can use this information to gain access to systems to launch further attacks, like ransomware.

In ransomware attacks, criminals use malware to encrypt healthcare providers’ data, then they demand a ransom to release the information. The attackers know that in healthcare, downtime can mean the difference between life and death, which puts extra pressure on healthcare providers to pay the ransom.

This report also notes that nearly two-thirds (64%) of surveyed organizations had recently been victims of a supply chain attack that disrupted patient care. In these attacks, companies that supply products or services are compromised, which slows or stops delivery of key services and supplies. Outcomes include delayed surgeries, unattended medical exams, and poorer patient outcomes.

The effect of these attacks and data breaches include loss of patient trust along with regulatory fines and other financial losses.

Local Examples

Though Change Healthcare isn’t headquartered in Boise, the effects of a 2024 cyberattack on the provider are affecting Idahoans and medical facilities across the nation, with one local provider only able to collect 15% of her payments. Alphonsus Health System of Boise experienced an attack, as was St. Luke’s Health System.

Challenges Facing Boise Healthcare Facilities

As one Boise IT veteran writes, the healthcare sector, especially smaller providers, are particularly at risk, as they often don’t have the resources and expertise to apply comprehensive cybersecurity strategies. Many don’t carry cyberinsurance or have a recovery plan, and most have few in-house IT resources, making them vulnerable. Attracting and retaining top cybersecurity talent is difficult, as the healthcare industry typically doesn’t pay as well as other sectors.

Key Managed IT Strategies for Securing Healthcare Data

Comprehensive Risk Assessment

Running regular IT audits to analyze network architecture, data storage, and access controls helps identify vulnerabilities. These audits also help healthcare providers stay compliant with HIPAA and other industry standards and stay ahead of emerging threats.

Multi-Layered Security Solutions

A multi-layered security approach helps prevent, detect, and respond to threats with a combination of firewalls, antivirus software, endpoint security, and data encryption. Endpoint detection and response (EDR) is a comprehensive endpoint security solution that uses continuous real-time monitoring and data collection with rules-based automated response and analysis. MSPs can run EDR in a security operations center for real-time analytics and rapid threat detection to help protect data.

Encryption and Data Access Controls

Healthcare providers collect massive amounts of data. To deliver care, healthcare providers need fast, reliable access to this information.

HIPAA requires that healthcare organizations encrypt patient data during transmission and storage across networks, devices, and storage systems. This includes encrypting data-at-rest and data-in-transit, securing email communications, and implementing encryption protocols for remote access and mobile devices. This way, even if it’s intercepted, the data is unreadable. MSPs can also help manage data, making sure that it’s accessible and readable by various healthcare systems.

Role-based access is another safeguard. Controlling who has access to sensitive data is central to compliance. Access control measures limit data access to authorized personnel only. With this protection, MSPs can monitor activity to see who is accessing what data, and review access permissions regularly.

Regular System Updates and Patching

Unpatched computers are vulnerable to malware attacks or viruses that could affect other computers on the network. Running outdated software can slow performance and productivity. Old software can’t always process current protocols and regulations, which can cause compliance problems.

An MSP can ensure that your organization is applying the latest software patches and updates for top system performance and to protect against cyberthreats.

Compliance in Healthcare IT

Understanding Compliance Requirements

Healthcare providers in Idaho must comply with many regulations. These include:

• HIPAA
• Affordable Care Act
• Idaho Patient Act
• State licensing requirements mandated by the Idaho Department of Health and Welfare (for example, for home health care).
• Mandatory reporting of certain diseases.
• Regulations around patient care and advance planning.

Requirements can change throughout the year, so compliance is an ongoing practice.

In Idaho healthcare, non-compliance can include:

• Failing to obtain informed consent from patients
• Not following parental consent requirements for minors
• Failing to report certain communicable diseases
• Violating billing practices

All these things can lead to significant legal penalties, including fines, malpractice claims, and potential jail time, depending on the severity of the violation. The Idaho Patient Act also allows for substantial damages to be awarded to patients in cases of willful non-compliance by providers.

Non-compliance can also lead to reputational damage and loss of patient trust.

How Managed IT Supports Compliance

Along with providing risk assessment, multi-layered security solutions, encryption and data access controls, and regular system updates and patching, a good MSP can provide:

• Vendor management, to ensure partners comply with regulations. MSPs can centralize communication with vendors, standardizing processes and conducting regular compliance audits.
• Incident response. Your MSP can build a response framework that covers notifying patients within 72 hours in the case of a data breach, as mandated by HIPAA. They will also put systems in place for handling security incidents quickly.
• Cybersecurity frameworks and policies. A managed IT services provider can help your company follow NIST’s Cybersecurity Framework, ISO 27001 and ISO 27002, Center for Internet Security (CIS) Controls Framework, and so on.
• Cybersecurity education for your employees. MSPs can educate your employees on privacy policies, data handling, and possible risks to patient data. They can hold regular compliance training sessions to help clinicians understand their responsibilities in maintaining data protection.
• 24/7 monitoring and system reports. MSPs will monitor your network activity to find and address suspicious behavior or potential security breaches, along with systems and controls to protect patient data.
• Reach and manage compliance. Your MSP can create compliance controls and help prepare your company for compliance examinations. They can also document healthcare providers’ IT environments and security processes and assist during internal or external audits.
• Disaster recovery. MSPs have extensive experience in creating and deploying disaster recovery plans for clients across industries, giving them perspective on considerations that your organization might overlook.

The Benefits of Managed IT for Healthcare Facilities in Boise

Choosing the Right Managed IT Provider

When choosing an MSP, get clear on your needs. Then, make sure potential MSPs have experience in healthcare IT security.

It’s also a good idea to look for an MSP who’s been around for a long time and is based in your area. If they’ve built a thriving practice, chances are they’ll be around for as long as you need them.

They should also be familiar with Idaho state regulations and healthcare needs. For example, are they experienced in working with the Idaho Health Data Exchange (IDHE).

Questions to Ask Potential MSPs

• What security frameworks do you follow?
• What compliance reporting tools do you offer?
• What are the top vulnerabilities in the healthcare sector, and how do you address them?
• How do you meet Cross-Sector Cybersecurity Performance Goals?
• Do you follow the Health Industry Cybersecurity Practices from HHS and the Health Sector Coordinating Council (HSCC)?
• With the varied nature of medical IT equipment form factors and communication protocols, how do you perform asset inventories and secure these assets?

What Can BlackPoint IT Services Do to Help

At BlackPoint IT Services, we help small and midsize healthcare providers like you in Boise and across the Western US with expertise and resources to stay ahead of cyberthreats. Let our IT security experts guide you toward a future-proof IT infrastructure. Schedule a consultation today to start on your healthcare security improvement journey.