The rate at which healthcare entities are targeted by hackers has increased alarmingly over the course of the past several months. This is mostly due to the healthcare industry’s focus on combating the coronavirus pandemic. As such, data protection in healthcare has fallen by the wayside. The importance of data protection in healthcare and tips on what security measures to implement are discussed below.
Data Protection in Healthcare: Security Measures
Hackers will always exploit organizations when they are most vulnerable, such as during a global pandemic. Josh Gluck, Vice President of Global Healthcare Technology Strategy at Pure Storage states, “Nefarious people like to do their work in the most difficult times when people’s focus is in other places. With healthcare organizations focused on supporting increased capacity and a remote workforce at an unanticipated speed and scale, their defensive posture is reduced. This situation has created a perfect environment for bad actors to do their work.”
This is why it is more important than ever for data protection in healthcare. Organizations working with protected health information (PHI) have an obligation to ensure its confidentiality, integrity, and availability.
◈ Confidentiality. PHI collected on patients holds a wealth of information. When PHI falls into the wrong hands, it can be used to commit identity theft or fraud. Organizations working with PHI have an obligation to ensure the confidentiality of PHI, protecting it against unauthorized individuals.
◈ Integrity. PHI must also be protected against corruption. As such, healthcare organizations must implement safeguards to prevent individuals from altering PHI without authorization.
◈ Availability. To ensure quality of service, PHI must be readily available. This includes having access to PHI in the event of an emergency or natural disaster.
To achieve this, organizations must implement HIPAA safeguards in the form of administrative, physical, and technical protections.
◈ Administrative. HIPAA requires PHI to be used and disclosed in accordance with the minimum necessary standard. The minimum necessary standard states that PHI should only be used and disclosed for a specific purpose. As such, organizations must implement administrative safeguards to control and track access to PHI. This includes user authentication, access management, audit logs, etc.
Gluck advises, “It’s highly complex to get an identity management program into place, but it is highly beneficial, especially in times like this. Knowing who the people are in your organization, what roles they have to do, and what data they need to access to fulfill those requirements becomes extremely important to weeding out what is good versus what is suspect.”
◈ Physical. Physical safeguards refer to securing PHI at an organization’s physical location. This includes installing an alarm system and locking areas in which PHI is stored. Since many workers are now working remotely, this has become more complex. Employees working from home must ensure that they do not leave PHI unattended so that it can be accessed by unauthorized individuals (even members of their family).
◈ Technical. To ensure that electronic protected health information (ePHI) – PHI stored in an electronic format – is secure, organizations must implement technical safeguards. This includes encrypting data, installing firewalls and antivirus software, determining what systems have access to PHI to ensure that it is adequately protected etc.
According to Gluck, “Having the right data in the right place and knowing where it is can also help an organization understand when data is maybe moving out of a system that it shouldn’t move out of or it’s living in a system that it shouldn’t live in.”
Data Protection in Healthcare: Employee Training
One of the most common causes of healthcare breaches are phishing attacks. Phishing attacks occur when a hacker poses as a trusted entity in the hopes of baiting email recipients into clicking on a malicious link. Many employees fall for the ruse as they have not had proper training on how to recognize phishing attempts. As such, an essential aspect of data protection in healthcare is training employees on how to recognize phishing attempts so that they do not fall victim.