Threats to healthcare data are evolving just as quickly as healthcare technology itself — and really, why not? Cyber criminals are well aware that the information they can glean from medical records is a potential goldmine.
Even as cyber criminals keep circling healthcare businesses looking for an electronic place to pounce, the industry itself is giving them more such targets. Healthcare professionals increasingly rely on technologies such as computers and tablets to access, update, and record patient data electronically; healthcare data may also be shared between multiple facilities and healthcare providers. Each electronic device or transaction is a potential entry point for attackers.
Better data security is critical for reducing the risk of data breaches, malware, viruses, and other malicious attacks on healthcare data security. Here’s what you can do.
Healthcare data security
Data security is any preventative measure that helps secure and protect data. For healthcare organizations, data security begins by developing a plan to assure their own data and their patient data are as secure as possible.
Data security is particularly important in the healthcare field because of the unique type of information that can be stolen from healthcare organizations, and the significant damage a cyberattack can inflict on a patient’s quality of care.
Why healthcare data security is important
Unlike financial data, healthcare data remains constant over time. For example, a stolen credit card can be canceled, but healthcare records often include personal information such as names, Social Security numbers, birth dates, payment information, insurance identification numbers, protected health information, and more. Most of those things can’t be canceled. Nor do they change over time.
The permanent nature of this information makes it more valuable to cybercriminals, since it can help them with identity theft schemes or other forms of fraud. Long story short: healthcare hacking is profitable.
Many healthcare organizations, however, are unaware of the risks to healthcare data security and might be reluctant to make changes that might interfere with patient care. Quick and easy access to patient information is important, but healthcare providers need to strike a balance between accessibility and security.
Most importantly, the healthcare industry has a responsibility to protect patients’ sensitive data. At the same time, the costs of investigating and responding to healthcare security breaches can be enormous.
To protect your organization and your patients, it’s important to consider healthcare data security from the start, before any shortcomings you might have become an issue.
Common security threats to healthcare data
A healthcare data breach is any disclosure of data that might compromise the privacy of patients’ protected health information. The cause of healthcare data breaches can range from malware and ransomware, to hacking, phishing, and to the loss or theft of laptops or other devices.
According to the HIPAA Journal, May was the worst month of 2021 to date for healthcare data breaches, both in number and severity.
Most healthcare organizations have a large number of unauthorized people (patients and visitors, for example) who can move freely in the facility. This increases the possibility of physical access to a restricted area or system, as well as the number of unsecured devices that are accessing the network.
Even on secured devices, a medical facility’s staff may be vulnerable to phishing. A medical professional without cybersecurity training may inadvertently open a phishing email using a secured device, leading to a healthcare data breach.
Although users are often considered the weakest link in keeping computer systems secure, network server incidents have started to dominate breach reports — so employee training is definitely not enough to protect your data and systems.
Medical devices themselves can be unsecure and difficult to update as attack methods evolve. But even as healthcare tools and devices become more modern, they are increasingly a part of the Internet of Things (IoT), which can be highly vulnerable.
Fortunately, you aren’t entirely on your own when it comes to preventing and defending against healthcare data breaches.
Healthcare data security and HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) regulates the use and storage of protected health information (PHI).
HIPAA compliance is required for organizations that are defined as “covered entities” (those that transmit and collect PHI) and business associates (those that have access to the data of covered entities).
Today, compliance with the privacy, security, and breach notification rules in HIPAA is a must for such covered entities, including healthcare providers, hospitals, and medical clinics.
The HIPAA Privacy Rule sets the national standards for the protection of individually identifiable health information by health plans, healthcare clearinghouses, and healthcare providers that conduct standard healthcare transactions electronically.
The HIPAA Security Rule sets security standards for protecting the confidentiality, integrity, and availability of electronic protected health information (e-PHI). It requires covered entities to implement technical safeguards including access control, allowing access to PHI only to those persons or software programs that need it. The rule also governs transmission security, encryption, and other security measures.
The Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured PHI. The rule states that covered entities suffering a data breach must notify affected individuals, the HHS Secretary, and, in certain circumstances, the media. In addition, business associates must notify covered entities in the event of a breach.
The Omnibus Rule implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act to strengthen the privacy and security protections for health information established under HIPAA. The Omnibus Rule also establishes accountability and penalties for organizations that mishandle PHII.
A HIPAA violation, or a failure to comply with any of HIPAA’s regulations or standards, can result in hefty monetary penalties and even jail time.
The law spans 115 pages with hundreds of ways an organization can violate the rules. The most common infraction is failing to perform a risk assessment or risk analysis.
Creating a healthcare data security plan
For your healthcare organization, security begins with updating an existing healthcare data security plan or creating one from scratch. Which steps your organization should follow depends largely on its size, and what types of healthcare data you need to protect.
Here are five steps any organization can take to create an effective and adaptable healthcare data security plan:
1. Control access to sensitive healthcare information and systems.
The best way to keep data secure is to make it available only on a need-to-know basis. Therefore, healthcare organizations must determine what information is relevant for which tasks and who should have access, and then set access controls accordingly.
Access controls allow healthcare organizations to manage data and determine who has access. Authentication and authorization keep data secure and prevent data breaches. Access controls first help authenticate a user’s identity, then authorize access to secure information by determining whether a user has permission to take a certain action or view a specific item.
Healthcare organizations need to consider how to develop access controls that provide both the necessary security measures and how to avoid roadblocks that unnecessarily obstruct smooth operations.
Your organization should do the following to help control access to your sensitive healthcare information and systems:
- Restrict access to data and applications with two-factor authentication and other methods beyond usernames and passwords.
- Encrypt all sensitive data while stored and while it travels through communication channels.
- Monitor and log all access attempts and use of sensitive healthcare information.
- Adopt role-based access controls (RBAC) to assure that employees and others are able to access only the data resources they require to do their jobs.
- Secure all mobile devices used by healthcare workers to access the healthcare service’s networks.
- Lock down all remote-access connections to the networks by using virtual private networks (VPN) and other secure communication technologies.
- Isolate devices that connect to healthcare networks as part of the growing Internet of Things (IoT).
2. Perform continual risk assessments.
While new medical technologies continue to advance the healthcare industry’s ability to treat patients, they also pose added security risks.
Healthcare risk assessments help hospitals, clinics, and doctor’s offices identify where they’re vulnerable to cyberattacks.
Risk assessments allow healthcare organizations to:
- Locate potential threats from within and outside an organization (internal and external threats).
- Estimate the damage such threats could inflict if exploited.
- Measure the likelihood of an attack.
HIPAA regulations also require risk assessments, which allow organizations to understand their weaknesses and vulnerabilities so they can protect themselves.
Here are some tips to keep in mind when planning and performing risk assessments:
- Conduct a data inventory to create a complete directory of all the data resources stored on the network; and confirm that the data has been classified with the appropriate level of protection.
- Understand the steps required to comply with government regulations pertaining to healthcare data protections, including HIPAA and payment card industry (PCI) security standards.
- Run vulnerability tests continually to identify weak points in the network’s security as they occur.
- Extend the risk assessments to third-party networks that connect to the organization’s information systems whenever possible.
A risk assessment will help your healthcare organization to prevent security breaches, stop network and system shutdowns, and avoid other security incidents.
3. Educate users about their role as the first line of defense.
Users are almost always the weakest link when keeping computer systems secure. Most cyberattacks require users to take some sort of action such as following a link, opening an email, or downloading a file.
Increased awareness about threats to data security can help healthcare professionals make more secure decisions. All healthcare organizations should invest in employee cybersecurity training.
Keep the following tips in mind when devising employee training programs:
- Train employees to identify emails that attempt to trick them into clicking on a link or performing some other action that infects the network with a virus (also known as a phishing attempt).
- Focus employee training on security policies designed to reduce human errors, and educate employees to recognize the techniques that cybercriminals rely on to breach healthcare systems and plant ransomware or other malware.
- Teach workers how to spot other social engineering techniques that cybercriminals use to plant ransomware in healthcare networks and commit other crimes.
4. Prepare for attacks and breaches with a backup and recovery plan.
Planning for worst-case scenarios allows healthcare organizations to limit the potential damage of security incidents. HIPAA regulations also mandate that healthcare organizations have comprehensive data backup plans, disaster recovery plans, and emergency mode operation plans.
A comprehensive contingency plan to manage cyberattacks should include the following:
- The use of off-site data backups to protect against natural disasters as well as cyberattacks and data breaches.
- A method for applying the latest patches and upgrades as soon as they are available to keep all applications and systems current.
- The ability to fully restore backups quickly in the event of a breach or ransomware attack.
Remember: backups stored on network shares that aren’t mapped as network drives are still vulnerable to a ransomware attack on healthcare information systems if workstations can access the shares.
5. Adopt a zero-trust security model.
Zero-trust security models operate under the premise that everything (whether it’s coming from within or outside the organization) requires verification before being allowed to connect to an organization’s system.
To account for an open structure, zero-trust models use tools such as multi-factor authentication, encryption, and analytics to evaluate the security of a request for access. Even then, zero-trust models only provide the bare minimum access needed to accomplish the task at hand.
Keep the following in mind when setting up zero-trust models:
- It’s impossible to anticipate and prevent all inside threats or to assure that third parties will not be the source of an attack on data networks.
- The perimeter-based security model can’t accommodate the protection required for the Internet of Things (IoT), robotic health assistants, augmented reality, and advanced persistent threats (APTs).
- Healthcare organizations must implement continuous risk assessments that respond immediately as new threats arise and security priorities change.
- A growing share of your organization’s data assets will continue to reside in the cloud, which requires protecting cloud-based workloads and applications that are accessed from mobile devices and remote locations.
- The use of automation and artificial intelligence (AI) can help secure sensitive data because it’s distributed more broadly across ever-expanding networks.
Following these steps can seem overwhelming, especially in healthcare organizations where operations are focused on life and death situations.
Healthcare providers and their business associates must balance the protection of patient privacy while also delivering quality patient care and meeting the strict regulatory requirements set forth by HIPAA and other regulations.
Fortunately, there are tools that can help your organization develop a healthcare data security plan fit for the modern world.
Data security and compliance is made easy with ZenGRC
Healthcare compliance is a demanding task. Using quality compliance software can make the job of HIPAA compliance much easier, enabling you to better do the work for which you entered the field: caring for your patients and improving their health.
ZenGRC from Reciprocity is a software-as-a-service that performs HIPAA self-audits, including risk assessments, in just a few clicks, as often as you like. It can provide up-to-the-minute views of your organization’s security and risk posture.
To manage your compliance program, you’ve also got to measure — and to comprehend the results.
ZenGRC’s color-coded user-friendly dashboard provides an integrated view of HIPAA-regulated data, compliance, and services, showing you where gaps are and how to fill them.
Changes in HIPAA and HITRUST CSF, the framework designed to help with HIPAA compliance, occur frequently. ZenGRC updates itself automatically, assuring that you’re never behind the compliance curve.
To keep track of your compliance efforts, ZenGRC gathers and stores your HIPAA compliance documents in a single source of truth repository for easy retrieval come audit time.
Make ZenGRC part of your healthcare data security plan and schedule a demo today to ensure that all of your business systems and the data they hold are not just compliant; they’re also safe.