The world of health care has been drastically transformed through the development of electronic systems used to transmit data between physicians, diagnostic clinicians, lab techs and other practitioners. Although they have advanced patient care, these systems also make securing of protected health information (PHI) far more complicated than the old “lock and key” approach.
Although more than a year has passed since the cyber attack on health insurance giant Anthem, many industry experts are still asking questions: What went wrong? Who is at fault? Were there preventative measures that could’ve been taken? And while these questions have yet to be answered, immediate action must be taken to achieve better security. In this slideshow, Mark Hickman, COO at WinMagic, discusses the top five ways health care organizations can protect themselves from a data breach.
Securing Health Care Information
Click through for five ways health care organizations can better protect protected health information (PHI) from a data breach, as identified by Mark Hickman, COO at WinMagic.
Experts believe personal health information (PHI) is so attractive due to the high profitability of the personal and financial information contained within medical records. As a result, health providers should exercise the concepts of “encrypt everything” and intelligent key management, both of which must be handled separately. Isolating the encrypted data from the encryption key will prevent a security compromise from occurring.
Enforce Policies on Lost or Stolen Devices
Forty-three percent of data breaches are due to lost or stolen devices, with smartphones and tablets outranking desktop and laptop computers as the devices most likely to go missing. There are numerous examples of employee negligence-related data leakage. At Oregon Health & Science University (OHSU) the PHI of approximately 1,000 patients was exposed when an unencrypted laptop was stolen from an employee’s car. In a separate breach, also at OHSU, the PHI of 14,000 patients was compromised when an unencrypted thumb drive was stolen from an employee who brought it home without authorization.
Even when devices are stolen, encryption can prevent data getting into the wrong hands. This makes it vital for organizations to not only implement clearly-defined procedures for protecting mobile and employee-owned devices, but also to enforce them.
Exercise Caution When Accessing Foreign Networks
In a Cisco report on BYOD, 59 percent of respondents who used smartphones to access PHI said the smartphones were not password protected, 53 percent of respondents accessed unsecured or foreign Wi-Fi networks, and 48 percent of respondents could not confirm if they disabled “discovery mode” on their Bluetooth devices and smartphones, which makes these devices extremely vulnerable to a cyber attack. Many health care roundtable participants also reported that it was not uncommon for doctors to email PHI to personal email addresses (a known HIPAA violation) which opens yet another opportunity for access to unencrypted PHI.
IT departments at health care organizations should enforce strict requirements with respect to health care providers accessing PHI via mobile devices.
Beware of Medical Devices and Mobile apps
Be careful when downloading apps and monitor all technology involved in the health care environment. Shockingly, nearly 20 percent of breaches within the health sector are caused by unsecure mobile apps and medical devices.
Data Storage in the Cloud
A third of health care organizations say that when it comes to data security, they are most concerned about the use of public cloud services. However, it is not just public services that should be of concern. With respect to private cloud storage providers, there can be a range of solutions and variances in the types and implementation of security measures. Because HIPAA rules apply to business associates and their subcontractors or vendors, it’s important that all cloud service providers contractually agree to adhere to HIPAA standards.
If health care organizations allow the implementation of cloud-based applications such as enterprise file-sync-and-share services, IT departments should ensure that a solution is in place that will encrypt files at the endpoint before being pushed to the cloud.