- There are numerous healthcare data security challenges in the industry, and these challenges will only continue to evolve as technology becomes more complex and providers work to stay current.
Healthcare cybersecurity threats are often thought of as key instigators in data breaches, and while often true, this is not always the only factor for which covered entities and business associates must prepare.
There are five key challenges in terms of healthcare data security, according to a recent blog post by Carrie L. Douglas and Debra L. Innocenti, partners in Strasburger & Price. However, with comprehensive risk management, organizations can ensure that they are effectively keeping patient data secure.
First, Douglas and Innocenti explain that healthcare ransomware is one of the top threats in terms of healthcare data security.
Whether a hospital employee inadvertently downloads malware in a file, or third-party attacker is able to successfully infiltrate a network, ransomware can put an entire EHR on lockdown and prevent providers from accessing patient files.
Regular backups are essential, the duo wrote, and it is critical to ensure that they are not connected to the main system.
“Instruct employees to be cautious about unsolicited attachments, and provide training sessions about best practices when downloading email attachments and accessing the Internet,” Douglas and Innocenti stated. “ Administrators should receive extra training and should limit their email and Internet activity while logged in as administrators.”
According to Foley & Lardner information security lawyer Mike Overly, strong employee training, updated technology, and ensuring that a comprehensive disaster recovery plan is in place are also key parts to preventing healthcare ransomware attacks.
In an earlier interview, Overly explained that employee education is the first line of defense for any provider. Covered entities must ensure that the training is appropriate for users who may not necessarily familiar with technology, and that staff members need to understand why these steps are important.
The second issue currently facing healthcare organizations is shadow IT, which is where “employees circumvent their employers' established security measures through unapproved practices and software.”
There might not always be malicious intent, according to Douglas and Innocenti. For example, an employee might simply be trying to finish a project on deadline and upload information to a personal cloud storage database or send data to a personal email.
“Organizations should institute clear policies on accessing, storing, and transmitting PHI, including an acceptable use policy for personal and organization-owned devices,” the blog maintained. “The policy should allow the organization to examine devices and cloud services used by employees to make certain all organization data is deleted from those systems when employees leave or are terminated.”
As previously explained, the Department of Health and Human Services even states that organizations must ensure that employees are only given access controls that are the “minimum amount necessary” in order to properly perform their job. For example, an employee who works in billing may need access to certain financial information, but does not necessarily need access to a patient’s medical history.
A lack of strong passwords is another key issue discussed by Douglas and Innocenti. Employees often need to have multiple passwords for email and networks, or might even need to change passwords every few weeks.
This could result in staff members creating weak passwords or using the same password for multiple credentials.
“When forced to change passwords, employees may transform them just enough to get past security protocols, or they may squirrel them away in nearby lists,” the duo explained.
This data security issue calls back to the importance of strong technical safeguards. These federal requirements are designed to be flexible so each organization can create measures that cater to their needs, but they cannot be dismissed.
Not only can comprehensive password policies help protect against hacking incidents, but they can also make it more difficult for phishing scams to result in cracked passwords.
As mentioned earlier, employees are often one of the weakest links in any healthcare organization. Employee education and training is essential in maintaining data security, and the “minimum necessary” will also ensure that one person does not have access to too much data.
“Data and data accounts should be mapped out on an organizational chart (showing who has access to what), so that appropriate safeguards can be applied when personnel leave the organization or are fired,” according to the blog post.
Beth Israel Deaconess Medical Center (BIDMC) CIO John Halamka, MD, MS explained similar concerns in a post toward the end of 2015. Specifically, even though organizations “spend millions on new technology, countless hours on policy writing, and engage all stakeholders to enhance their awareness…we’re as vulnerable as our most gullible employee.”
While BIDMC increased its education efforts, it also implemented filters to prevent outgoing mail and internet traffic from exfiltrating sensitive data.
Losing data in non-hacking incidents
Healthcare cybersecurity might be evolving and growing more intricate each day, but that does not mean that PHI cannot also be compromised in other ways.
Whether paper documents are lost while being transported to a shredder or a laptop is stolen from a physician’s office, PHI security needs to be considered on numerous fronts, according to Douglas and Innocenti.
“Organizations should know at all times how sensitive information is accessed, stored, and transmitted,” the duo urged. “That often requires knowing how each team or division uses data to do its jobs and fostering a culture of transparency.”
Physical safeguards are essential for healthcare organizations of all sizes, and no facility should assume that it is immune to such threats.
Just last week a potential healthcare data breach was reported by the California Correctional Healthcare Services when an unencrypted laptop was stolen from an employee’s personal vehicle. While the device was password-protected, it allegedly may have contained medical, mental health, and custodial information.
Additionally, Imperial Valley Family Care Medical Group reported that a laptop was taken from a physician’s office on March 21.
The device contained names, addresses, dates of birth, health information, Social Security numbers, driver’s license information, and California identification card information.