Safeguarding Healthcare Foodservice Data
Many common foodservice software tools contain patient information you need to protect from hackers
Nearly 90 percent of healthcare providers have been hit by data breaches in the last two years, according to the Ponemon Institute, a security research firm based in Traverse City, Michigan.
That’s no surprise, given the extensive nature of electronic medical records today. Patient names, health and family histories, Social Security and social insurance numbers, billing information—it’s all there, and cyber-thieves can sell it all on the black market.
The challenge of keeping data secure applies to foodservice as much as any other department. Tray-tracking software, meal-ordering applications, and other programs can all contain sensitive patient information that can be exploited by unscrupulous parties. The danger is not just external and not just digital—for example, an employee or visitor could glean personal data from a swiped tray receipt, and sell it for profit.
5 Ways to Prevent and/or manage data breaches
1. Identify your vulnerabilities. Proactively explore the ways in which your department’s data can be breached. Online hacker attacks are now the most common form of data breach, but you should also consider how to deal with employee negligence and/or malice, lost or stolen laptops and tablets, and web-borne malware attacks.
2. Work with IT. Consult your IT department or external cybersecurity experts to devise strategies that minimize your risk. Encryption technology, for example, can help avoid data breaches. Insist that your vendors support privacy protocols.
3. Educate employees. Make sure employees know government rules as well as your own employer’s guidelines for protecting privacy. Make privacy protection part of every job description, including making them aware of what health information is considered protected and what safeguards are in place to keep it protected.
4. Monitor devices and records. Remind employees to keep a close watch on electronic devices and paper records. Many data breaches occur due to the theft of these items from home or vehicle, as well as the office.
5. Design a response plan. Work with hospital administration, communications professionals, legal counsel, compliance officers, and your cyber-security partners to develop an action plan to follow in case a data breach does occur.
A different kind of breach
In March of this year, cybersecurity agencies in the U.S. and Canada issued an alert about the growing number of ransomware attacks affecting healthcare organizations. Rather than steal data, hackers lock down the computer systems of healthcare providers and demand payments to unlock them.
This past February, the Los Angeles Times reported that Hollywood Presbyterian Medical Center paid a $17,000 ransom to a hacker who infected the institution’s computers and prevented staff from using them to communicate with each other.
This past January, Hurley Medical Center in Flint, Michigan, was the victim of a cyber attack that caused problems for hospital foodservice. The hospital released few details, but Michigan’s MLive Media Group reported that records and emails obtained through the Freedom of Information Act showed that “lunch service was delayed when generic trays were sent out and nurses were forced to supervise for special diets.” Some patients were not served lunch until after 4:00 p.m.
The Hurley attack turned out to be a protest by the online “hacktivist” group Anonymous over the Flint water crisis, rather than an actual ransomware incident. But it demonstrated that foodservice is just as vulnerable as other patient services when a hospital system is locked down.
Experts say that it may be impossible to completely prevent ransomware attacks, but providers can minimize damage—and avoid paying ransom—by backing up and safeguarding data, working with well-equipped cybersecurity vendors, educating employees about risks, and preparing a plan for how to proceed if/when systems get hijacked.
Foodservice managers should determine the effect a ransomware attack could have on their department, and design a response plan that ensures patients will continue to be fed if their system is down. That plan should include ways to identify allergies, therapeutic diets, and consistency modified diets.
It is also critical to conduct periodic cyber-safety training for employees. Teach employees how to spot a phishing email, the risks of clicking on attached email files, and the potential danger of introducing external devices like flash drives into your internal system.
If hackers haven’t tried to hit you yet, they will. It’s imperative that you and your employer do all you can right now to properly protect health data and ward off system lockdowns.
Data breaches and public relations
Data breaches require an immediate communications response. Social media will ensure that the news spreads quickly from coast to coast—and you want to control the narrative. Public relations experts suggest that you:
Respond quickly and honestly. Apologize and present a plan of action.
Create an information clearinghouse. A dedicated online site can address customer needs while diverting negative feedback from your social-media platforms.
Keep it simple. Make sure all communications are clear, concise, and impossible to misunderstand.
Rebuild trust. Offer customers something to compensate for your security failure.
The EMV edge
Data can also be compromised through credit and debit-card transactions in your foodservice outlets, such as cafeterias and kiosks. EMV (Europay Mastercard Visa) technology helps minimize the risk.
Canada ramped up the implementation of EMV chips into credit cards in 2007 and greatly reduced losses due to card fraud. The U.S. is now following suit.
You don’t have to install EMV card readers for retail purchases—but if you don’t, you will be liable for fraudulent transactions.
Healthcare IT’s 2016 State of Cybersecurity in Healthcare Organizations Study identifies hackers’ biggest targets, in this order:
1. Patient medical records.
2. Patient billing information.
3. Clinical trial and other research information.
4. Employee information.