The healthcare industry is more at-risk than most others when it comes to the potential for data breaches. Healthcare cybersecurity tips are incredibly important for keeping data safe. In the wrong hands, electronic health records (EHRs) and patient health information (PHI) are worth a lot of money. And that paints a huge target on any under-prepared health provider that engages with — but maybe doesn’t fully understand the risks of — digital health infrastructure. Here’s a rundown of seven things you need to do if you want to commit to the security of your organization’s health data.
1. Correctly Restrict Access to Critical Applications and Data
Access controls are some of your best assets when it comes to protecting healthcare data. Patient information doesn’t need to be — and shouldn’t be — stored on general-purpose directories. And they certainly shouldn’t be left unprotected on your main network.
User authentication — and clearly defined digital “roles” for regular users and for everyone who engages with your networks — are the keys to making access restriction work for you. Most authentication options these days use two factors, including physical keys, PINs and passwords and, more recently, biometric data.
2. Employ Mobile Devices With Caution
The addition of mobile technology to the healthcare landscape was a great gift. Instant communication can sometimes save lives, but mobile devices in the workplace come with a significant potential risk to your security.
Your facility or healthcare system should have a comprehensive security policy when it comes to employee use of mobile devices — and especially personal mobile devices. This policy should include:
- Stressing the importance of strong passwords on all work-related applications
- Device-level passwords
- Encrypted backups
- Remote wipe capabilities enabled in case of loss
And more. Embrace this relatively recent convenience, but do so with caution — and a detailed set of guidelines in place.
3. Take Care When Networking IoT Devices
Beyond mobile devices, there’s another emerging threat “vector” in healthcare technology — and it’s the Internet of Things, or the IoT. In this context, the IoT might encompass blood pressure monitors, security and observation cameras, scales, thermometers, sleep monitors and any other medical device that connects to your network.
The most important way you can shield your network of IoT assets from outside intrusions — like what happened with WannaCry in 2017 — is to restrict the use of IoT devices to a self-contained network, rather than having this traffic on your general-purpose network. Also, be sure to set each device to install new updates automatically and remove obsolete or disused devices from the network and from service.
The total price tag from the WannaCry incident is now approaching the $4 billion mark. Thankfully, most onlookers found it to be a learning experience.
4. Monitor Network Traffic and Collect Logs
It’s essential that you log all of the data on your network. This provides you with an in-depth look at who is accessing your network, when and for what purposes — down to details about the device used to achieve access. Logs are helpful when the time comes to perform a security audit — and should the worst-case scenario actually occur, having logs at the ready can help pin down the access points used by intruders and better evaluate any damage they may have caused.
Of course, collecting logs are just one part of the task — you also have to actually look at them. It’s wise to regularly review these monitor logs for irregularities, at least for your most critical systems. This is a task commonly outsourced to third parties.
5. Perform Vulnerability Testing With Third Parties
Another cybersecurity function that benefits from an outsider’s perspective is vulnerability testing. An impartial party is often the logical choice if you want to be absolutely certain you’ve taken the necessary steps to protect your networks and your healthcare system from intended outside harm. And it’s not just about the security of your digital networks, either — sometimes there are concerns over physical security too, such as where you store equipment.
For example, the National Cyber Security Centre in the UK recommends performing third-party penetration testing on every access point along your network. They also make a point to remind hospitals and other facilities to create specific protocols for the use, and return, of equipment and electronic devices that might contain sensitive data, especially patient data, and to ensure these devices are not physically at risk of being stolen.
6. Recognize HIPAA Standards as Non-Negotiable
When we think about the security of our data, we usually think about deliberate wrongdoing first. But sometimes, all it takes is a rogue storm or a power outage to cause a devastating loss of data. This is another area where knowing regulations like HIPAA, inside and out, becomes critically important. It’s also a good reason to familiarize yourself and your organization with the SEC’s guidelines for how to file a disclosure of a data breach. You can use resources like this to plan your recovery strategy should the worst happen.
The healthcare industry as a whole has pivoted to the use of much more accessible and convenient electronic health records, but HIPAA still provides strong guidelines for the protection of those records when they’re both “at rest” and “in transit.” HIPAA guidelines state healthcare providers must maintain “exact-match” backups of all patient records. Another safeguard recommended by HIPAA is that healthcare system administrators receive real-time notifications whenever critical patient data is accessed.
7. Make Sure You Understand the Role of Your Partners and Vendors
There’s a booming market for healthcare data analysis, not to mention data storage, IT architecture, software and application licenses, and more, in the healthcare space. If there’s one part of HIPAA that’s worth a second look, it’s the delicate roles and intersections between “business associates” in modern medicine. HIPAA’s Omnibus Rule provides these guidelines for understanding the role of partners, vendors, and other associates:
- Third-party apps, like those provided by Google, Dropbox and Microsoft, are considered legal “business associates” any time these services are used to store or maintain patient health information. This requires a contract between the two parties.
- There are “conduit exemptions” that apply to data-handling companies that transmit patient health information but do not store it. These definitions can sometimes be subtle.
- Liability follows the chain of custody throughout the patient health information (PHI) “supply chain.” Under HIPAA, all healthcare providers are required to obtain “satisfactory assurances,” from all of the parties they sub-contract with to handle PHI, that all data will receive appropriate levels of protection.
As you can see, there are lots of moving parts within modern medicine and the administrative and technological systems helping it treat patients and save lives. However, there are resources available to practices and hospital franchises like this care franchise, that can help demystify some of the new regulations, best practices, and just plain good ideas.