Solutions for the Top 5 Security Vulnerabilities

A recent article from HealthCareITNews.com details the top five security vulnerabilities that “could mean trouble” – that is, result in a data breach. While these risks are entirely valid, the article doesn’t offer tactical solutions or alternatives to reduce said risks. [Note: these security vulnerabilities should be of concern in any industry, not just healthcare – i.e., financial, ecommerce, software, etc.].

So I thought I would respond:

Theft.
The article acknowledges that lost or stolen media, often in the form of a backup tape or laptop, were the culprit for a data breach. The Sutter Health incident involving a break-in and theft of a desktop computer is used as an example. But the article fails to provide a way to prevent the loss of innumerable patient records by media theft.

Keeping ePHI (electronic protected health information) or other sensitive information on secure networks, and not physical devices can greatly decrease the potential risk of allowing thieves access to ePHI. With remote access to networks using mobile devices, the use of two-factor authentication is greatly recommended – it verifies the identity and access level of the user trying reach the data. Read more about this here: Keep ePHI on Secure Networks, Not Mobile Devices, Recommends OCR.

In addition to keeping data in HIPAA compliant data centers with standardized network security in place, investing in an offsite backup solution that doesn’t use tapes can help prevent a data breach.

READ

4 Healthcare Processes That Are Changing For The Better

Mobile devices.
Similar to the theft issue, mobile devices “don’t have the same level of security controls as computer systems,” the article claims. In addition to keeping ePHI/sensitive data off of physical devices, a BYOD (Bring Your Own Device) and mobile policy can standardize users’ behavior when it comes to transmitting, storing and accessing data.

A solid set of policies and procedures, as well as a security awareness and training program can ensure your employees know what is expected when it comes to the use of mobile devices.

Dissemination of data.
Target data sharing between healthcare organizations and third-parties, the article claims the lack of security, tracking and auditing capabilities as a source of data breaches. The article states those that transmit data must “invest in technology and processes that protect the data in transit and at rest.” But what kind of specific technology could do that?

SSL certificates can secure the transit of information from a web server to the user by starting a secure session and encrypting shared data. Encryption for data at rest and in transit should follow the U.S. government, NIST-approved (National Institute of Standards and Technology) AES-256 (Advanced Encryption Standard). Additionally, using SFTP (Secure File Transfer Protocol) to transfer files can help secure and validate the identity of users.

Outsourcing to business associates or third-party vendors.
The article mentions the growth in outsourcing, and the need for business associates, vendors and partners to follow national regulations (HIPAA, PCI, SOX, etc.). The article mentions pre-contract assessments of business associates, and post-contract compliance assessments, but more due diligence should be done pre-contract to minimize as much risk as possible.

READ

How Technology Affects Doctor-Patient Relationship?

Start by asking managed hosting providers for a copy of their Report on Compliance (ROC), for any type of compliance. This means they’ve invested in an independent audit of their facilities and services and were found to be operating at 100% compliance with the standards.

A HIPAA hosting provider should also be able to provide documented policies and procedures of their security practices, dates and signed documentation of employee training, and a comprehensive Business Associate Agreement (BAA) outlining their responsibilities and incident response protocol.

The cloud.
The article gets kind of vague here, stating that cloud computing is popular because it’s cost-efficient to outsource both storage and compliance out to a provider, yet it “adds another layer of potential breach exposure to a healthcare organization.” The article concludes by stating the responsibility of securing information in the cloud is ultimately on the shoulders of a covered entity, which is true, but can be alleviated by doing their due diligence as described above.

Another article I wrote, Outsourcing Cloud Computing Security, outlines sample questions to ask your potential new HIPAA cloud hosting provider. Cloud Computing and Compliance also explains the difference between Software/Infrastructure-as-a-Service.

Healthcare Organizations: Seeking a Cloud Provider? BAAs Required quotes David S. Holtzman of the HIPAA enforcement entity, OCR (Office of Civil Rights):

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

The article also lists important provisions in your cloud contract to minimize security vulnerabilities and ultimately protect your PHI.

References
5 Security Vulnerabilities That Could Mean Trouble

Your Financial Health Check-Up

How Healthcare Professionals Can Keep on Top of Stress at Work

Just Like Any New, Burgeoning Shiny New Object, Healthcare CRM Has Its Own Challenges

How Predictive Analytics And Big Data In Healthcare Can Improve Care

Entrepreneurs Must Integrate Mission-Driven Strategic Investors

6 Healthcare Financial KPIs You Need for 2017

Determining the ROI on Aquatic Therapy in Your PT Practice

How to Monetize Mobile Healthcare Apps

How Healthcare Professionals Can Keep on Top of Stress at Work

Just Like Any New, Burgeoning Shiny New Object, Healthcare CRM Has Its Own Challenges

How Predictive Analytics And Big Data In Healthcare Can Improve Care

When The Doctor Is Hurting: Ergonomic Solutions For Medical Professionals

Nursing Home Alternatives: 3 Ways Seniors Can Age In Place

The AMA Will Release 335 CPT Code Updates Next Year

Assessing The Value Of Patients’ Fitness Trackers

Addressing Addiction In Primary Care

The AMA Will Release 335 CPT Code Updates Next Year

Medical Data & Patient Privacy: An Update

Tackle Telemedicine Coding With These CPT® and CMS Pointers

What Is Interoperability and Why Is It Important in Healthcare?

8 Health & Safety Apps & Devices to Recommend to Your Patients

Mobile Medical Apps: A Game Changing Healthcare Innovation

What Is Interoperability and Why Is It Important in Healthcare?

How a New Patient Experience Model Will Drive the Future of Connected Healthcare?

EHR For Rural Hospitals: Criteria And Access

How Big Data Can Be Used To Prevent Fatal Heart Attack

Patient-Generated Health Data: a Shift in Care Delivery?

How Financial Barriers are Slowing Down Telehealth Adoption

Should Healthcare Care About Branding?

How can Healthcare Professionals Manage their Reputation Online

How to Handle Negative Physician Reviews and Feedback

5 Effective Ways to Market Healthcare to Millennials

The Rising Tide Of Dental IoT: What You Need To Know

Forces Driving The Growth Of Wearable Medical Device Market

What Is Functional Medicine? An Absolute Beginner’s Guide

9 Medical Apps That Everyone Should Know About

Forces Driving The Growth Of Wearable Medical Device Market

9 Medical Apps That Everyone Should Know About

8 Health & Safety Apps & Devices to Recommend to Your Patients

Is Demand For Medical Device Outsourcing Increasing In The U.S.?

What Is Functional Medicine? An Absolute Beginner’s Guide

Playing God: Bioengineering and the Future of Medicine

Just Like Any New, Burgeoning Shiny New Object, Healthcare CRM Has Its Own Challenges

Is Demand For Medical Device Outsourcing Increasing In The U.S.?

3 Healthcare Technology Advances Transforming The Industry

5 Habits That Negatively Affect Your Health

10 Ridiculously Cool Facts You Did Not Know About CBD Vape Oil

4 Common Eye Test Myths That Optometrists Want You To Know About

Minimizing Data Chaos in the Healthcare Industry

3 Reasons To Focus on Prevention, Rather Than Antibiotic Treatment for UTIs

Cosmetic Dentistry In 2018: What’s New And What To Expect

All you need to know about Hepatitis B Symptoms

Do Hearing Aids Cause Hearing Loss? 3 Misconceptions Explained

The Complicated Rise of Interventional Cardiologists

How Big Data Can Be Used To Prevent Fatal Heart Attack

Peripheral Vascular Stenting to 2020

In Praise of FDA Collaboration: The Cardiac Safety Example

Understanding Alzheimer’s Disease: What’s Next? [Infographic]

Why Primary Care Physicians Are the Next Phase in CCRC Care

The Dos and Don’ts of Handling Elderly Patients

Five Fields In Healthcare That Are Quickly Growing

The Weight Conscious Doctor: Why Sensitivity Matters

Top 5 Reasons Why you’re Not Losing Weight on Your Diet

Starting a New Eating Plan? What you Need to Know about Macro and Micronutrients

Should You Recommend Bariatric Surgery to Obese Patients?

What Is Scoliosis? 4 Ways To Treat It

Do it like Disney: Developing Orthopedic Centers of Excellence

Lessons on Building a Great Ortho Team from The Avengers

What Orthopedic Patients Want this Holiday Season

Radiology as an Enterprise Model for Collaboration

Relationship Between Clinical Decision Support Systems (CDSS) & Radiology Must Evolve

Diagnostic Reading #33: Five Must-Read Articles from the Past Week

2015 CPT Coding Changes and Your Radiology Practice

Stop The Sneeze: 10 Helpful Tips On How To Deal With Allergies

3 Ways To Stop Long Term Whiplash Pain And Start Healing

The Most Addictive Drugs Available With a Prescription

Culture Shock vs. Depression In Childcare Workers

Stop The Sneeze: 10 Helpful Tips On How To Deal With Allergies

How Ordering Your Groceries Online Can Help You Eat Healthier

4 Health Benefits of Pecans