Healthcare data is some of the most sensitive personal information that exists today. It is also one of the most sought after – and most frequently breached – data types. For organizations across the healthcare industry, protecting health data is proving to be increasingly challenging.
Healthcare providers and their business partners must balance protecting patient privacy while delivering quality patient care and meeting the strict regulatory requirements set forth by HIPAA and other regulations, such as the EU’s General Data Protection Regulation (GDPR). Because protected health information (PHI) is among an individual’s most sensitive (and for criminals, valuable) private data, the guidelines for healthcare providers and other organizations that handle, use, or transmit patient information include strict data protection requirements that can incur hefty fines if they’re not met.
While many compliance practices exist today, electronic data hasn’t historically been as secure as it needs to be. In fact, the increase of electronic health records (EHR) is increasing the risk of data breaches. Last year, Ponemon Institute research found that criminal attacks have increased by 125 percent since 2010 and are the leading cause of healthcare data breaches.
To adequately protect data from cybercriminals, healthcare organizations and business partners must implement comprehensive security measures to protect patient data from the increasing volume and growing variety of threats. Vulnerabilities in wireless networks, for instance, offer an easy entry point for hackers, yet these networks offer critically important – and easier – access to patient information, helping to optimize the delivery of care.
These best practices for healthcare cybersecurity aim to keep pace with evolving threats, addressing risks to privacy and data protection on endpoints and in the cloud, and safeguarding data while it’s in transit, at rest, and in use. Organizations must take a multi-faceted, sophisticated approach to security. Here’s how they can do it:
1. Educating Healthcare Staff
The human element remains one of the biggest threats to security across all industries, and this is particularly true in healthcare. Simple human error or negligence can produce disastrous and expensive consequences for healthcare organizations. Security awareness training equips healthcare employees with the requisite knowledge necessary for making smart decisions and using appropriate caution when handling patient data.
2. Restricting Access to Data and Applications
Implementing access controls reinforces healthcare data protection by restricting access to patient information and certain applications to only those users who require access to perform their jobs. Access restrictions require user authentication, ensuring that only authorized users have access to protected data. Multi-factor authentication, which requires users to validate their identity through two or more validation methods, is a highly-recommended approach.
3. Implementing Data Usage Controls
Protective data controls go beyond the benefits of access controls and monitoring to ensure that risky or malicious data activity can be flagged and/or blocked in real time. Healthcare organizations can use data controls to block specific actions involving sensitive data, such as web uploads, unauthorized email sends, copying to external drives, or printing. Data discovery and classification play an important supporting role in this process by ensuring that sensitive data can be identified and tagged to receive the proper level of protection.
4. Logging and Monitoring Use
Logging all access and usage data is also crucial, enabling providers and business partners to monitor which users are accessing what information, applications, and other resources, when they are being accessed, and from what devices and locations. These logs prove value for auditing purposes, by identifying areas of concern and strengthening protective measures when necessary. When an incident occurs, an audit trail may enable organizations to pinpoint precise entry points, determine the cause, and evaluate damages.
5. Encrypting Data
Encryption is one of the most useful data protection methods for healthcare organizations. By encrypting data in transit and at rest, healthcare providers and business partners make it more difficult (ideally impossible) for attackers to decipher patient information even if they gain access to the data. HIPAA offers recommendations but doesn’t specifically require healthcare organizations to implement data encryption measures; instead, the rule leaves it up to healthcare providers and business partners to determine what encryption methods and other measures are necessary or appropriate given the organization’s workflow and other needs.
6. Securing Mobile Devices
Increasingly, healthcare providers and covered entities utilize mobile devices to access information to help treat a patient, or to process insurance claims. There are many enterprise mobile management best practices organizations should consider implementing to secure network devices, including: maintaining security settings and configurations, enabling remote lock and wipe and enforcement of device-level passwords.
7. Mitigating Connected Device Risks
Traditionally mobile devices like smartphones and tablets were the primary area of concern, yet with the rise of the Internet of Things (IoT), many new types of vulnerable connected devices are appearing. In healthcare, medical devices like blood pressure monitors and cameras for monitoring physical security on the premises may be connected to a network. Some tips for maintaining adequate connected device security include:
– Maintain IoT devices on their own separate network
– Continuously monitor IoT device networks to identify sudden changes in activity levels that may indicate a breach
– Disable non-essential services on devices before using them, or remove non-essential services entirely before use
– Using strong, multi-factor authentication whenever possible
– Keep all connected devices up-to-date to ensure that all available patches are implemented
8. Conducting Regular Risk Assessments
While audit trails help to identify valuable details of an incident after it occurs, proactive prevention is equally important. Conducting regular risk assessments can identify vulnerabilities in a healthcare organization’s network, shortcomings in employee education, inadequacies in the security posture of vendors and business partners, and other areas of concern.
By evaluating risk across the organization periodically to proactively identify and mitigate potential risks, healthcare providers and their partners can more effectively prevent costly data breaches and avoid the many other detrimental impacts of a breach, from reputation damage to penalties issued by regulatory agencies.
9. Utilizing Off-Site Data Backup
As many ransomware attacks have shown, cyberattacks can expose sensitive patient information but they can also compromise data integrity or availability. Natural disasters can have major consequences on data centers if data isn’t properly backed up.
That’s why frequent offsite data backups are recommended, with strict controls for data encryption, access, and adherence to other best practices to ensure that backups are secured. Offsite data backups are an essential component of disaster recovery, too.
10. Carefully Evaluating the Compliance of Business Associates
Because healthcare information is increasingly transmitted between providers and among covered entities to help facilitate payments and deliver care, a thorough evaluation of all potential business partners is one of the most crucial security measures healthcare organizations can take. The HIPAA Omnibus Rule strengthened the previous guidelines and clarified definitions of business partners, providing better guidance on the relationships in which contracts are required. And, the HIPAA Survival Guide provides a comprehensive summary of clarifications and changes.
Taking a multi-faceted approach to security may seem exhausting, but when sensitive and valuable private health data is at risk, additional measures can ensure protection. To keep pace with evolving threats, healthcare organizations that take data protection seriously should recognize that HIPAA and other regulatory compliance initiatives are a good starting place for building a data protection program and avoiding costly penalties. However, efforts should go beyond compliance to ensure that sensitive data is protected against today’s threats.
Chris Leffel is the Vice President of Network & Cloud Security at Digital Guardian, a next generation data protection platform purpose built to stop data theft.