iHT2’s research report provides health data privacy best practices for healthcare organizations to protect themselves from security breaches and identify theft.
With stolen EHR charts selling for as much as $50 per chart on the black market, healthcare organizations are increasingly vulnerable to cyber-attacks as the use of web portals for health information exchanges becomes more commonplace. Just last week, two stolen laptops lead to nearly $2 million in HIPAA fines by the HSS. To prevent future security breaches, healthcare providers and insurance organizations must use advanced security techniques.
Released today, iHT2’s latest research report, “Healthcare Security: 10 Steps to Maintaining Data Privacy in a Changing Mobile World” explains how healthcare organizations can best protect themselves from the rapidly growing threat of security breaches and medical identity theft. CIOs and security consultants describe best practices for preventing these incidents. They also suggest how to deal with the proliferation of electronic data on the web and on mobile devices, which has created many new avenues for cyber-attacks and the theft of personal health information.
The report was put together by:
- Chris Brooks, SVP of Technology, WebMD Health Services
- Sam Curry, CTO, RSA
- James Dzierzanowski, Information Security Officer, Dignity Health
- Howard E. Haile, CISSP, CISA, Chief Information Security Officer, SCL Health System
Sixty-one percent of global healthcare organizations have experienced a security-related incident in the form of a security breach, data loss, or unplanned downtime at least once in the past 12 months, according to the EMC Global IT Trust Curve Survey. Each year, these incidents cost U.S. hospitals an estimated $1.6 billion dollars. The paper offers ten best practice strategies for security in healthcare:
- Get security expertise. Hire a chief information security officer who is dedicated to safeguarding your organization’s data. Asking your CIO to add this burden to his or her extensive portfolio invites trouble, because basic security procedures may be overlooked as a result.
- Strike the right balance between security and accessibility. While data security is very important, security procedures cannot be allowed to get in the way of clinicians accessing the data they need to do their work.
- Role-based security. Restrict the access of individuals, based on their organizational role, to prevent breaches from spreading to the most sensitive and important data.
- Implement data controls. Identify the most critical and sensitive information and put data protection controls around that. Depending on the type of information, various security methods can be used, including encryption or tokenization.
- Use caution with single sign on. Single sign on poses security threats, but clinicians demand it. To minimize the risk, program workstations to time out and log off automatically. A role-based security approach can be used to restrict access to only those applications a user needs.
- Address the use of mobile devices. Organizations that allow BYOD must have policies to prevent mobile devices from endangering network security. They should also prohibit storage of PHI on these devices. Texting requires a security solution, as well.
- Get business associates agreements. All outside partners and service providers, including cloud storage providers, should sign BAAs acknowledging their responsibility to protect PHI. You should also require business associates to upgrade their security procedures.
- Secure patient portals. Verify the identities of portal enrollees and adopt stringent authentication processes, but don’t make it too hard for patients to log on to portals. Use behavioral and contextual approaches to detect patterns of intruders.
- Reduce HIE exposure. . Be aware of the security practices of public health information exchanges. If you participate in one, you can reduce your security risk by not importing HIE data into your system.
- Choose your cloud provider and cloud type carefully. A cloud service provider should sign a BAA and be HIPAA compliant. Healthcare providers might find the public cloud enticing because of cost efficiencies, but a hybrid cloud might be preferable because it allows them to control their data.
To download the report, visit http://ihealthtran.hs-sites.com/iht2-healthcare-security-report
