How to Secure Data in Healthcare

Recent headlines of data security breaches at large corporations and system bugs like Heartbleed and Shellshock have reminded us of the importance of proper network security.

Recent headlines of data security breaches at large corporations and system bugs like Heartbleed and Shellshock have reminded us of the importance of proper network security. When this responsibility isn’t taken seriously, not only does it result in stolen information, but damages to brand reputation and millions of lost dollars.

While we often equate these problems with banks, social media sites, or large retailers, we forget one of the most important, yet vulnerable, industries to these types of attacks – healthcare. It’s scary to think organizations responsible for our health haven’t properly prioritized protecting our information. In fact, healthcare spending on IT security is only about one-fifth of comparable industries, even as the healthcare industry turns more and more to online systems from ACLS recertification to sensitive patient records.

With changes in technology, digital filing is replacing the traditional paper filing systems. Often called the Electronic Health Record, EHR is a collection of patients’ health information. The idea is that patient records can be shared across different healthcare settings, and allow physicians access to medical history and other important information in order to provide better care. In 2005, the UK’s National Health Service began utilizing EHR systems and wanted to create a centralized database. While the plan was ultimately abandoned, the NHS continues to pursue digital solutions to sharing patient information. Ideally, EHR will lead to greater cost efficiency, care delivery and patient outcomes. However, the sharing of electronic information comes with greater threats and an increased need for strong IT security measures.

The problem is that breaches in network security don’t simply mean lost personal information. While having sensitive information in the wrong hands is scary, when it comes to healthcare, the consequences are much more severe. With so much medical equipment being controlled by computers, hackers could alter drug infusion pumps and administer lethal doses, or control defibrillators to deliver random shocks (or none at all). Even simpler, medical records could be altered, leading doctors to prescribe the wrong medicines or unable to access important information during life-threatening situations.

Ultimately, the responsibility of maintaining network security falls on the CEO. It’s his or her job to protect important assets, and patient information is just as important as physical assets. Because of the financial pressures CEOs face, proper measures are often sacrificed for cost saving features, which is a dangerous game to play in this industry.

In order for things to change, healthcare organizations need to switch their IT security strategies from reactive to preemptive. Examples are all too plentiful of how ineffective (and costly) it is to handle a crisis without any preparation. CEOs need to take the lead and implement network security into their overall strategy. It should be the topic of C-suite meetings, board meetings, and should be constantly reviewed and tested.

Part of the strategy should also include investing in a Chief Information Security Officer. IT departments are often spread so thin, having someone devoted to maintaining network security is too often overlooked. In addition, invest in hiring IT experts. Because of their high demand, healthcare organizations are often left without the experts and having to hire junior IT security staff in their place. With the complexity of threats and sensitivity of patient information, don’t settle for minimum qualifications.

One of the major contributing factors to breaches in personal health information is portable computing devices. So many organizations these days have adopted Bring Your Own Device policies. While there are many advantages to allowing employees to use devices they are familiar with, employees use these devices in so many different capacities, the risk for breaches is greatly heightened. Employees should be properly trained on how to protect patient information.  

Finally, it would be wise to invest in a professional IT security assessment company. If you choose to do so, find a company with healthcare experience, and who is familiar with the issues facing the industry. So many IT security assessments are ineffective because the organization or the actual person doing the assessment is inexperienced. Be aware of who you’re working with, and put in the time to do a little research and find the right company.

health data security / shutterstock