Data breaches in health care come in a variety of forms. They can include cases in which criminal hackers steal protected health information to commit medical identity theft, or instances when an employee views the records of one patient without authorization.
While the motives and outcomes of those two security incidents are very different, they have one thing in common: Bot data breaches can be very costly for providers. In addition to potential HIPAA fines and other compliance costs, hospitals may suffer reputational damage and a loss of patient trust.
Aside from being expensive, healthcare data breaches are also pretty widespread. In 2012 and 2011, nearly all (94%) of healthcare organizations had suffered at least one data breach, according to a study from the Ponemon Institute. In addition, 45% experienced more than five breaches during that time. That’s compared to just 29% of hospitals that said the same thing two years ago.
The bottom line: All hospitals and other healthcare organizations need to be careful about protecting sensitive patient, financial and other data.
Doing so requires a mix of employee education, smart use of technology and physical security for buildings. Here’s a list of ten important best practices for healthcare data security:
1. Protect the network
As hackers have a variety of methods for breaking to healthcare organizations’ networks, health IT departments need to use a variety of tools to try and keep them out. However, most firms spend too much on perimeter security, such as firewalls and antivirus software, while experts warn they should also be adopting technologies that limit the damage when attacks do occur.
That includes techniques such as segregating networks so that an intruder into one area doesn’t have access to all the data stored throughout the organization.
2. Educate staff members
Whether due to negligence or malicious actions, employees are often involved in healthcare data breaches. Therefore, any IT security program should include a big focus on employee education, including:
- Training on what does and doesn’t constitute a HIPAA violation
- Lessons on avoiding phishing, social engineering and other attacks that target employees, and
- Advice on choosing secure passwords.
3. Encrypt portable devices
In the past few years, several data breaches have occurred because a portable computing or storage device containing protected health information was lost or stolen. One thing healthcare organizations should always do to prevent those breaches: Encrypt all devices that might hold patient data, including laptops, smartphones, tablets and portable USB drives.
In addition to providing encrypted devices for employees, it’s important to have a strict policy against carrying data on an unencrypted personal device.
4. Secure wireless networks
Organizations are increasingly relying on wireless routers for their office networks. But unfortunately, those wireless networks often introduce security vulnerabilities. Data can be stolen by hacking into those networks from the parking lot, for example, especially if the organization relies on outdated technology, such as routers that use the 12-year-old Wired Equivalent Privacy (WEP) security standard.
To protect against attacks, healthcare providers should make that their routers and other components are kept up to date, network passwords are secure and changed frequently, and unauthorized devices are block from accessing the network.
5. Implement physical security controls
Even as electronic health records become more common, organizations still keep a lot of sensitive data on paper. Therefore, providers must make sure doors and file cabinets are locked and that cameras and other physical security controls are used.
In addition, organizations should physically secure IT equipment by locking server rooms and using cable locks or other devices to keep laptop and desktop computers attached to office furniture.
6. Write a mobile device policy
As more healthcare employees use personal devices to do their work, it’s important that every organization creates a mobile device policy that governs what data can be stored on those gadgets, what apps may be installed, etc.
Also, many providers are using mobile device management (MDM) software to enforce those policies.
7. Delete unnecessary data
One lesson many data breach victims have learned: The more data that’s held by an organization, the more there is for criminals to steal. Organizations should have a policy mandating the deletion of patient and other information that’s no longer needed.
In addition, it pays to regularly audit the information that’s being stored, so the organization knows what’s there and can identify what may be deleted.
8. Vet third parties’ security
Along with the mobile devices, the biggest IT trend in the past few years has likely been the rise of cloud computing. Cloud-based services have enabled smaller organizations to take advantage of many of the same technologies as their larger competitors by lowering the up-front costs necessary for deployment.
However, putting information in the hands of third parties also creates a number of new risks. Therefore, it’s important for organizations to diligently vet the security of cloud computing vendors and other third parties they contract with.
9. Patch electronic medical devices
While many of the IT security threats healthcare organizations face also affect companies in other industries, providers have another risk: the threat of pacemakers, monitoring tools and other electronic medical devices being hacked.
One step healthcare IT departments must take: Keep the software on those devices patched and up to date to minimize their vulnerabilities.
10. Have a data breach response plan
It’s unlikely an organization will ever be able to prevent every possible IT security incident. That’s why it’s critical to develop a plan of action for when a breach does occur.
For help, see our earlier post on developing an effective data breach response plan.