Did you know that medical data on 20,000 people may be exposed to abuse today? That is the number of people per day whose protected health information was breached on average in 2013, based on breaches reported to the U.S. Department of Health & Human Services.
As a healthcare practitioner, you may not be aware of the value of the data in your care, but criminals certainly are. Doctors may have historically been wary of security measures that might slow them down in an emergency, but there are ways to improve security that will not impede their work. Having too little concern for security can have a big impact on all of your patients, not just those with emergencies. In this article, we look at the challenges, and seven suggestions for tackling them. (You can hear more on this topic in our free recorded healthcare data privacy webinar on Brighttalk.)
Money, Money, Money!
You may be wondering what data healthcare practitioners have that is all that interesting. From the perspective of today’s cybercriminal, electronic health records are a treasure trove of information that can be sold on the black market. While federal rules and regulations (namely HIPAA) exist to help healthcare practitioners protect our data, compliance with those rules does not necessarily equal security.
What motivates cyber criminals is what inspires so many things in life: Money. Obviously credit and debit card information is useful for criminals, and most doctors’ offices and insurance companies accept credit or debit cards from their patients. But electronic health records may include other information that is useful to criminals.
Social Security Numbers are often required for insurance purposes, and these can be used to steal a person’s identity, which can be a lot worse than someone stealing his or her credit card. Doctors and insurance companies also gather your name, your physical address, phone numbers, and maybe your email address.
While Target retail stores stole the data hijacking headlines late last year, only 13% of the reported breach incidents in 2013 were in the retail sector, while 45% were in the medical field (according to Privacy Rights Clearinghouse). According to the HHS “Wall of Shame” where HIPAA violations are reported, almost 30 million records have been exposed between September 2009 and last month. The cost of these breaches, in terms of fines and fixing the damage, quickly adds up.
The bad news is that breaches are a real, scary thing. The good news is that there are simple things you can do, as a healthcare practitioner, to help protect that important data. Here are a few things you can do that will help you improve your security without impeding your ability to respond to your patients quickly:
- Update, update, update
Regular updates of all software is one of the most important things you can do to minimize the vulnerabilities criminals can use to silently get into your machines. And vendors often provide updates at no cost to you. When you get a notice from your vendor, be sure to go directly to the vendor’s website to get the update as soon as possible.
- Layered defenses
Do not expect one security product to protect you against every possible threat. Make sure you have an anti-malware suite on all devices that access your network (do not forget smartphones, Android tablets, Linux servers, and Mac computers along with your Windows machines). You should also have a firewall at the gateway to your network and on all your individual machines. And any important data should be encrypted both in storage and any time it leaves your machine, like via email or on devices like smartphones or USB sticks.
- Passwords are not enough
If you are protecting lots of patient data, a password alone may not be enough. Consider two-factor authentication. This can be a biometric like a fingerprint or a one-time passcode that is provided to you, via a small digital key card or fob, or even an app on your smartphone.
- Choose Your Own Device
Having the ability to use a mobile device to check on your work-related information whenever and wherever you are is a huge boon for responsiveness. But it also leads to a host of problems, as those devices are easily lost or stolen and they are less apt to be protected from malicious access. More and more offices are offering employees the choice of a mobile device, one that IT staff can scan for problematic apps or links, or remotely wipe in case the device is lost or stolen.
- Principle of Least Privilege
The Principle of Least Privilege simply means that no person, machine, or system should have access to things they do not strictly need. For instance: Financial data should be in a different part of the network, and completely cut off from people who do not need to access it. And very few people, if any, should have Administrator-level access rights on their own machine. Any time you can restrict access without disrupting people’s ability to do their job, you should.
- Encrypt everywhere
We covered this a little in the “layered defenses” tip, but it very much bears repeating. When we have something that is valuable, we lock it up when it is not in use. It is the same with data; if you have valuable data, it should be encrypted whenever it is not directly in use. That means when it is in storage, it should be encrypted. When it is being accessed or sent over the network, it should be through an encrypted connection. Having encryption from end to end minimizes criminals’ ability to get any useful data, even if they do manage to breach your other defenses.
- Watch out for leaky data
There are other ways data can leak out of your organization, that people may not think of. Wi-Fi is becoming a fact of life – there is a sort of expectation that wherever you go, there will be a Wi-Fi network you can access, especially at work. But that Wi-Fi can be an easy way for attackers to get in to your network, if it is not properly secured. Sensitive data should not be accessible by the Wi-Fi network at all. Many healthcare practitioners I have talked to also note that IT stuff has disabled the ability to copy and paste or print from certain applications, so that data stay only where they are supposed to be. This option is available in a number of popular applications.
Compliance, as with regulations like HIPAA, may conjure the mental image of someone bending over backwards to follow rules. But good security should not make doing your job impossible. With a variety of small changes, the effect on your ability to do work should be negligible. And the effect of maintaining your patients’ trust by protecting their data is certainly to make your job easier.
Author Lysa Myers, ESET