The American healthcare system now relies heavily on community health centres (CHCs) as the main entry point for patients who often have a barrier to care due to their economic status, geographic location, or social disadvantage. CHCs have begun to provide more clinics, telehealth services, and integrated care programs, thus they have made greater use of digital technologies for managing patient intake, medical records, and care coordination. While this has led to increased access and efficiency in delivering and receiving care, the risk of cybersecurity breaches has also increased; an example of this is the recent Data Breach at the Jordan Valley Community Health Centre.
While CHCs serve large numbers of patients and are funded by multiple sources (e.g., public grants; reimbursement for services provided), the financial limitations they operate under are often greater than those of large hospitals. Consequently, the primary sources of funding for CHCs are tied directly to metrics related to service delivery. Additionally, while CHCs have access to and process personal health information on a regular basis, for the most part, they are not able to justify investing in cybersecurity controls (e.g. continuous monitoring; advanced encryption; incident response plans) because the cost of these systems is often seen as less critical than expenses related to meeting the clinical needs of the organisation (e.g. staffing; purchasing office equipment; expanding service hours).
The digitization of the health care sector has created new levels of complexity in the operation of community health centres as many of these centres use many different types of electronic health record systems, third-party vendors for billing, laboratory partners and government platforms for reporting. This means that each integration creates a potential point of exposure for patient data. Even when individual systems are compliant, their connections with one another can become a point of weakness for the facilities that are utilising them, especially if there is limited oversight and inadequate vendor risk assessments.
In addition to that, the impact of a data breach on patients can be very severe. Many patients at community health centres are on public assistance or do not have access to traditional banking services or have language or documentation challenges. For these patients, an exposed Social Security number or insurance record would be difficult to monitor, dispute or recover from. Further, the impact of data breaches is not equally distributed and generally impacts most significantly those who have the fewest resources to respond.
Community health centers function as organizations based upon a mission, and they gain credibility through the long-term partnerships they have formed with the populations they serve. Patients provide community health centers limited amounts of their personal health information because they are expected to provide community health centers with access to all their personal health information and are confident that the employer who employs them will protect their health care data and privacy.
The majority of the time, when these cybersecurity issues occur within community health centers, they are caused by structural impediments and not by negligence. Structural impediments include inadequate funding and a lack of available staff, along with the rapid and frequent changes to information technology requirements.
While frameworks exist for compliance, compliance on its own does not mean that an organization will be prepared to protect itself against the more sophisticated and recurring threats Community health centers are expected to face.
As healthcare legislation continues to focus on increasing access and expanding access to healthcare, data protection will continue to become more and more important. Expanding access, without increasing security, will lead to hidden costs post-incident when systems are compromised and confidence is lost.
Protecting patient and client data should be viewed as a part of providing healthcare. In an actual or increasing digital world, protecting the patient and client’s digital footprint is part of the continuum of care and will allow for community health centers to establish and maintain trust with their patients.
