Cybersecurity: How a Rural Alaska Hospital is Safeguarding Its Patients' Information

by Allee Mead

IT Director Jim Bartilson and his team at South Peninsula Hospital in Homer, Alaska, spend their workdays managing user accounts, monitoring installed systems and hardware, and researching protective software. "I personally spend about 3 hours a day managing some of our security systems," Bartilson says, "which helps me stay current with security risks, evaluate new systems for deployment, and analyze our current systems."

While his IT team seems removed from the patients, they are working right beside the medical staff to protect those who walk through the hospital doors. While the medical staff works to prevent diseases and improve patients' health, Bartilson and his IT team work to safeguard their information.

Risks and Barriers in Rural Communities

Ransomware is one of the most prevalent types of malware (malicious software) affecting healthcare facilities. This malware encrypts the system's data, preventing anyone from accessing data unless a ransom is paid. Sometimes, those who pay the ransom are still unable to recover their files.

According to the U.S. government document How to Protect Your Networks from Ransomware, the number of ransomware attacks has increased 300%, from 1,000 attacks per day in 2015 to 4,000 attacks per day in 2016. While urban and rural networks are both targeted, rural-based information systems may be at a greater risk in an attack.

Rural and smaller facilities may not be targeted more, but rural facilities tend to have less training, resources, and protections in place.

"Rural and smaller facilities may not be targeted more, but rural facilities tend to have less training, resources, and protections in place," explains Joe Wivoda, CIO and HIT Consultant at the National Rural Health Resource Center.

For example, urban healthcare facilities may have a large IT team, while rural facilities might have one IT employee who works part-time. Cost is also a barrier for many rural facilities, as it takes financial resources to purchase updated software or hire someone to install a firewall. For some facilities, cybersecurity may not seem like a top priority.

Wivoda adds that rural facilities without IT staff can team up with other facilities or contract out. "In rural," Wivoda explains, "we have to work together as much as we can."

As with other healthcare positions, many rural facilities have come to rely on traveling or agency staff to fill vacant positions. While filling an important need, this type of staffing can be an added risk to facilities' cybersecurity, since these employees might not have completed the same orientation and training as the other employees. These risks make recruitment and grow-your-own efforts for IT staff all the more important for rural facilities.

Despite the barriers, rural facilities possess a strength that urban facilities may not. Since everyone tends to know each other in smaller communities, rural healthcare staff may hold themselves more accountable to safeguard their patients' information from unauthorized access, modification, or destruction. South Peninsula Hospital is one such facility that works hard to safeguard the information of its patients, families, and neighbors.

South Peninsula Hospital

South Peninsula Hospital (SPH), a 22-bed Critical Access Hospital (CAH), takes a top-down approach to cybersecurity. Bartilson explains, "You cannot be effective managing security risks unless you have support from your senior leadership and operating board."

SPH provides primary care, outpatient specialty clinics, and long-term care, along with emergency medicine. The 60-year-old hospital employs over 450 people and serves a population of 13,000 living in a 50-mile radius.

You cannot be effective managing security risks unless you have support from your senior leadership and operating board.

"We are one of the pillars of the community," says Derotha Ferraro, Director of Public Relations & Marketing at SPH. "We've been here the longest and we're the largest employer." This status in the community adds extra incentive for hospital staff to protect their patients' information.

"Jim has to look all of these people in the face when he goes to the grocery store or the post office or the hardware store," Ferraro explains about Bartilson's role as IT Director. "That adds a layer of responsibility that might not be as raw in a much larger environment."

That accountability to the community extends into the workplace as well, as Bartilson and his IT team are also responsible for their coworkers' information. This responsibility can serve as a powerful motivator. Bartilson explains, "I don't want to ever have to walk into my CEO's office and tell him we have an issue."

Such an issue would lead not only to compromised information but also liability and downtime. "Liability" refers to the costs associated with a data breach, such as fines, credit monitoring for those affected, and rise in insurance rates. "Downtime" is the time and work lost if a facility needs to shut down or if infected servers shut themselves down.

The hospital is constantly bombarded by malware, so Bartilson and his team's work is never done: "Security systems are no longer set it and forget it," Bartilson explains. If viruses do occur, the IT team works to find the source and educates coworkers on safe practices so that future attacks can be prevented.

An Ounce of Prevention

The more informed the user is, the stronger the security can be.

Prevention is key, not just for the IT staff of six but for anyone who works for SPH. While the hospital uses software programs to safeguard its data, staff members also need to be on the lookout for suspicious-looking emails and attachments. "The more informed the user is, the stronger the security can be," Ferraro explains.

Training occurs during new employee orientation and throughout a staff member's career. New employees at SPH spend an hour of their orientation learning about cybersecurity.

The IT staff offers continual education to the other staff members by sending out alerts and offering videos for refresher courses.

You have to train everyone, not just one department, but everyone who touches a computer.

Wivoda supports Ferraro's emphasis on the importance of providing training for all users: "You have to train everyone, not just one department, but everyone who touches a computer."

This training – teaching staff how to spot suspicious-looking emails and how to back up their files – can be outsourced or found online. HIPAA Training & Resources can be a useful tool, with links to security training games and risk assessment tools.

Sometimes, Bartilson and his IT team provide articles about recent data breaches at other healthcare facilities. These articles serve as learning opportunities, as the team then describes what SPH employees can do to avoid a similar situation.

In addition to these cautionary tales, the IT team makes sure to recognize coworkers who catch and report suspicious links and emails. This reminds all staff members that they each play a part in protecting the hospital's information. Bartilson and the team also act as mentors so that their coworkers feel capable of taking on more responsibility with cybersecurity at work and in their homes.

The IT team members keep up their own knowledge base through webinars, certificate classes, and web classes. "We have assembled a special group of dedicated IT professionals at SPH," says Bartilson, "and there isn't a day I'm not amazed with their ability and hard work."

While other rural facilities may not be able to afford an IT team of six, they may have resources that SPH does not. "Other areas would have more access to consulting services," Bartilson explains. "Our distance from the next largest town – the travel expenses are not cost-effective for that option."

While cybersecurity is a priority at SPH, it is certainly not the hospital's only IT priority. Ferraro explains that the IT team members "make sure that we're secure but that systems are working toward the best care possible at the same time, so that neither side is compromised."

Whether a rural facility has six IT staff members or none, the latest in technology or aging IT infrastructure, training and vigilance of all staff will make a difference in the security of patient information. Wivoda adds, "It's a solvable problem, and we can make a difference."