Implementing cybersecurity protocols remains a priority throughout the healthcare industry — and a challenge.

In late September, Universal Health Services (UHS) was the target of a largescale malware cyberattack, causing nationwide network outages. As a result, medical staff lost access to computer systems, data, internet, and phones. Amid the mayhem, some staffers even shared real-time updates of the attack on Reddit.

Shortly after, USH officials acknowledged that the attack impacted each of its US sites — which equates to more than 400 health care facilities — but the company’s electronic medical record (EMR) was not directly compromised. Still, for three weeks, USH staff had to rely on offline documentation procedures.

No doubt, this raises a lot of questions regarding the health care system’s cybersecurity safeguards and policies.

Unfortunately, cyberattacks and data breaches are prevalent in the healthcare industry. Their facilities have a high volume and variety of devices, which adds to the difficulty of comprehensive cybersecurity.

The frequency and severity of each attack only seems to increase with time. To counter this, any company that handles private health information (PHI) needs to consider implementing the HITRUST Common Security Framework (CSF).

The government doesn’t require health care companies to obtain a HITRUST CSF certification — but that doesn’t mean it’s not worthwhile.

First of all, the HITRUST framework helps companies address security regulations that are federally mandated, such as HIPAA. While HIPAA holds health care companies to a certain security standard, it doesn’t necessarily provide clear insight into the “how.” That’s where HITRUST comes into play, as companies can leverage specific, detailed guidelines to set and develop their security measures.

Second, data security is an everchanging beast. To account for this, the HITRUST CSF is regularly updated to ensure companies remain on top of the latest security best practices and safeguards.

Third, as evidenced by the USH’s recent network outage, cyberattacks aren’t going away — and they’re quite costly. According to IBM’s 2019 Cost of a Data Breach Report, the average total cost of a data breach in the U.S. healthcare industry was $15.0 million — compared to $8.2 million across all industries. So, the investment in cybersecurity is worth it.

On top of that, did you know the average data breach takes 280 days to identify and contain? Protecting PHI can only happen if you’re proactive — not reactive. It doesn’t matter if you’re a health care company or a related business associate.

That’s why Sepire is actively pursuing the HITRUST certification. It’s a rigorous and lengthy application process, but it’s practically a necessity in the digital age.