Healthcare practitioners are always concerned with how to protect patient data and comply with regulations about privacy and security. Coupled with trying to understand new technology that has become available in the last few years, it may be hard to know where to start. In this article, I will discuss why security is important and give you tips for how to protect patient data.
The value of medical data
Is the hype is real? Is medical data is really that valuable to criminals? According to the HHS “Wall of Shame” 1 where HIPAA violations are reported, almost 30 million records have been exposed between September 2009 and early 2014. A recent article in healthcareinfosecurity.com stated “The federal tally of major health data breaches has hit a new milestone; it now lists more than 1,000 incidents affecting 500 or more individuals.”
From the perspective of today’s cyber criminal, electronic health records are a rich source of information that can be sold on the black market. What motivates cyber criminals is data that they can easily sell. Credit and debit card information is useful for criminals, and most doctors’ offices and insurance companies accept payment by either method. Electronic health records may include other information that has a broader utility than that in a credit card, such as social security numbers, which the bad guys can use to steal a person’s identity.
While federal rules and regulations (namely HIPAA) exist to help healthcare practitioners ensure the integrity and privacy of patient records and other sensitive medical data, compliance with those rules does not necessarily ensure security.
Breaches are real and problematic, but there are simple things you can do to help protect your patients’ data without impeding your ability to deliver quality healthcare:
Update Software Promptly
Updating your software – particularly your operating system, browser and any plug-ins – is one of the most important things you can do to minimize the vulnerabilities criminals can use to silently get into your machines. If you don’t already have auto-update enabled, as soon as you get a notice from your vendor, go directly to the vendor’s website to get the update.
Go Beyond Passwords
If you are protecting patient data, consider two-factor authentication along with a password. This can be biometric like a fingerprint, a one-time passcode that is provided to you via a small digital key card or fob, or even an app on your smartphone.
HIPAA gives you a “safe harbor”2 loophole such that when you have properly encrypted data, both at rest and in transit, you may be able to avoid breach notification. This is because having encryption from the point it is sent to the point it is received minimizes criminals’ ability to get useful data, even if they do manage to breach your other defenses.
Conduct Regular Risk Assessments
You should be conducting a regular security risk assessment3 to determine what defenses you will need. The Office of Civil Rights, in charge of enforcing HIPAA, will also be looking for proof of a current risk assessment in case of an audit. Be sure to to include mobile devices such as smartphones and tablets, and non-Windows systems (especially Mac and Linux machines) in your assessment.
Choose Your Own Device
Having the ability to use a mobile device to check on your work-related information is a huge boon for responsiveness. Yet, it also leads to a host of problems, as those devices are easily lost or stolen, and they may not be protected from malicious access or inadvertent data leakage. More offices are requiring that IT staff has access to employees’ devices, either by remotely managing the employee’s device or offering employees the choice of a mobile device with IT rules already in place. Either way, IT staff is able to scan for problematic apps or remotely wipe the device in case it’s lost or stolen.
Use the Principle of Least Privilege
This principle simply means that no person, machine or system should have access to information he/she does not strictly need. Very few people should have Administrator-level access rights on their own machine. Any time you can restrict access without disrupting people’s ability to do their job, you should.
Watch Out For Leaky Data
There are many ways data can leak out of your organization that people may not consider. Mobile and wireless devices are a common access points for data to leave your organization. Wi-Fi needs to be properly secured, using WPA2 encryption. Text or instant messages discussing patient data need to be encrypted too. You may also wish to disable the ability to copy and paste or print from certain applications.
Compliance, as with regulations like HIPAA, may conjure the mental image of someone bending over backwards to follow rules. But good security should impede your ability to do your job. Protecting patient data is simply another way of ensuring their health and safety.
Lysa Myers is a security researcher with ESET. For more information, visit www.eset.com.
US Dept of Health and Human Services. Health Information Privacy. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html. Published 2014
Yale University Healthcare Insurance Portability and Accountability Act website. http://hipaa.yale.edu/security/breach-prevention/safe-harbor-encryption. 2014
New NIST Publication Provides Guidance for Computer Security Risk Assessments.