Headlines about hospital data breaches that expose thousands of medical records appear with alarming frequency. Yet even one breach can be devastating. A single breach at a Pennsylvania practice in the first half of 2016 exposed 87,000 patient records, and in 2015 a breach at a Los Angeles hospital exposed 4.5 million patient records.
Such attacks shouldn’t be surprising. The high dollar value each patient record fetches on the black market (CNBC says this is at least $60) creates a powerful incentive for hackers while protection is often weak. To reduce the financial, compliance, and reputational risks from security breaches, hospitals and health systems can provide better patient care and protect patients from financial harm. The following are five steps to consider in your efforts to protect patient data:
1. Define your hospital’s strategy for managing sensitive data
Guarding data starts with strong data management. Hospitals often store protected health information (PHI) in different systems in different departments in different data centers or cloud servers, as well as on mobile devices. When data for the same patient is stored in many places, it becomes more difficult to protect; it might be secure in one place but vulnerable in another. Creating a master data management strategy that consolidates all online data into one electronic system not only simplifies the process of securing data, but it also improves system efficiency. Once your data is consolidated, refer to HIPAA guidelines to determine what data is sensitive and must be kept secure.
2. Implement policies to support your data-protection strategy
One of the greatest dangers to the security of PHI is human error or negligence. Putting in place acceptable use policies (AUPs) will give clinicians and staff solid direction regarding what behaviors to follow to maintain privacy.
For example, the AUP can require the use of strong passwords for user authentication, periodic password changes, and encryption, as well as procedures that restrict access to clinicians and staff who need the information to do their jobs and provide proper patient care.
As more clinicians use personal mobile devices in their work, be sure the AUP covers these devices as well. A mobile AUP should require the encryption of data on the device and in transit between providers as well as use of an app with remote wipe capabilities that can remove sensitive data should the device be lost or stolen.
3. Implement multiple layers of security tools to support policies
Data centers and mobile devices alike have many points of vulnerability. Protecting PHI requires a multi-layered approach that addresses each one with tools that include:
• Monitoring capabilities to track network traffic
• Firewalls to block attackers from entering the corporate network
• Blacklist/whitelist mechanisms to specify “bad” packets to exclude and “good” packets to admit
• Data encryption to prevent access to data in motion and at rest
• Virtual private networks (VPNs) to safeguard traffic traveling over the public internet
• Secure text messaging to allow providers to send secure text messages, images, and videos to smartphones and other devices
• Data loss prevention (DLP) solutions to identify and put controls around PHI, implementing policies and procedures to ensure it doesn’t leave the organization by the wrong path, wrong address or in an unencrypted manner
You can also ask your existing hardware and software vendors about best practices for configuring and using these solutions to optimize security. For more tips on how to secure critical infrastructures, go to:
4. Train your end users
Because human error or negligence plays a major role in healthcare data breaches, any IT security program should include a strong employee education component. Include training on what does and doesn’t constitute a HIPAA violation as well as lessons on avoiding phishing, social engineering, and other attacks that target employees.
5. Develop an overall business continuity plan
Your hospital’s ability to continuously access medical records can be a matter of life and death. If someone is having a heart attack, you can’t afford to turn them away because you don’t have access to their information. Yet this is precisely what happens with some cyberattacks. A large number of hospitals have recently been hit by ransomware that blocked access to patient data until they paid a hefty sum. And hospitals aren’t adequately prepared: According to the 2016 HIMSS Cybersecurity Survey, two-thirds of respondents experienced a recent significant security incident but reported only an average level of confidence in being prepared to defend against cyberattacks.
You need an overall business continuity plan to ensure that your hospital remains operational in the face of this type of cyberattack—not to mention a large-scale natural disaster. Within IT, a business continuity plan details the people, processes, and technologies necessary to keep IT systems operational, including off-site backup for important data and disaster recovery processes that ensure your hospital regains access to data within specified timeframes.
Patient data is the lifeblood of any hospital. You need to keep it away from prying eyes while maintaining access for the clinicians who require it to successfully treat patients. These five data security measures will help you in your efforts to protect your patient data before it’s too late.