10 effective ways to avoid a disastrous healthcare data breach
By Carly Yuk
The healthcare industry has long been a prime target for cybercriminals, with several major data breaches reported over the past few years.
Those who work in the sector are party to huge amounts of highly sensitive patient information including medical records, and recently the sector has placed a high priority on keeping that data safe.
The reasons why cybercriminals may instigate a healthcare data breach are obvious: hospitals, pharmacies, clinics, and doctors’ practices are goldmines of valuable information, housing large data sets of details that can be used to steal a person’s identity.
The information needs to be securely protected in order to be kept safe. However, the healthcare industry is known for poor security measures, meaning that a data breach is often an inevitable outcome.
According to Security Scorecard, the healthcare industry was ranked 9th for overall data security, in comparison to other industries. And it’s that lax attitude towards security procedures that can have devastating consequences for both patients and providers themselves.
Considering the broad reach of the healthcare industry — almost every person will have a record in the system — it’s imperative that healthcare organisations take steps to reduce the possibility of a data breach. Here are ten essential actions to help organisations tighten their security:
1. Conduct a yearly security risk assessment
When taking into account all the changes that happen in an organisation within the space of 12 months, including new system integrations, infrastructure enhancements, organisational restructure, and employee turnover, it’s highly likely that new vulnerabilities will occur.
By performing a yearly risk assessment, it forces providers to review their security protocols and system vulnerabilities, as well as assess where they need to improve their security measures.
2. Continue education on the impacts of a healthcare data breach
It’s important to accept that not everyone who works with healthcare data will be tech-savvy, understand the importance of being careful or have sufficient knowledge of the required security measures.
A lack of security awareness among your employees is the biggest risk of a breach, and one of the most difficult problems to solve.
Continuing to educate employees on the impacts of data breaches, and how to prevent them, is the first step towards enforcing best practice in the workplace. Every penny spent on educating your employees on data security is a huge investment in the future success of your organisation.
Employees must be engaged in contributing to a culture of security through a process of regular security awareness training, which should incorporate internal training sessions, day-to-day reminders, and visual workplace prompts.
Over time, as employees are educated and reminded of the implications of a healthcare data breach, the risk of a cyber attack should be drastically reduced.
3. Monitor devices and records
It’s important to consistently remind employees to be mindful of electronic devices (personal and professional), and any paper records left unattended.
In some cases, a healthcare data breach occurs because these items have been stolen from a home, office or a vehicle. Safeguarding patient information is everyone’s responsibility, and employees need to be reminded to do their part in keeping data safe.
4. Deploy an encryption of all data and hardware
Encryption is one of the main ways to avoid a healthcare data breach. Despite there being significant hurdles to encryption, it’s ultimately one of the best methods of protecting data.
To ensure data cannot be accessed, we recommend encrypting patient information both in motion and at rest. Additionally, protecting vulnerable hardware such as servers, network endpoints, mobile and medical devices will also be beneficial.
In retrospect, the implementation of data encryption is nothing compared to an actual healthcare data breach incident. The amount of money spent on encryption protocols easily outweighs that of forensics, legal fees, government penalties, potential lawsuits, and negative publicity which can run into millions of pounds.
5. Restrict access to patient information
With so many people working in a healthcare environment, patient information is under constant access.
For this reason, it‘s important to limit data access and carefully manage the identity of users.his can be achieved by only allowing users access to information relating to their position.
A further way to control information access is to ensure that staff are aware of logging on/logging off procedures and they follow them on shared machines. These methods allow you to identify if a computer has been left unattended, or a system is left logged in.
Running automation on a system to check these protocols also helps create a ‘paper trail’, and ensures efficiency and safety for all that are involved.
6. Subnet wireless networks
It’s becoming common for public areas to offer free wi-fi access for people, and a hospital is no different. Understandably, the key to this is giving patients what they want without allowing them access to the entire network where they could expose patient healthcare information and other sensitive data.
To provide patients and visitors with wi-fi access, creating subnetworks is the best way to avoid any conflict. By creating a specific area of the network for public use, it will only allow limited access for guest users.
Additionally, you can also create separate, more secure subnets for business applications, apps that touch patient healthcare information, and any app that involves credit card or monetary transactions.
7. Implement an airtight BYOD policy
The popularity of smart devices is increasing, and we’ll see many of these devices in healthcare to aid doctors who work remotely. While this may be convenient for physicians, it creates more security concerns for IT departments, who need to protect the data and manage external access to the healthcare environment.
Therefore, it is important to outline a ‘bring your own device’ policy, so that all employees and IT associates are aware of which devices are allowed to be used internally and externally from the organisation.
When considering a bring-your own-devices policy, it’s important to broach these questions:
- How much support will be available for initial connections to your network from personally-owned devices?
- Will there be support from IT associates for broken devices or certain applications installed on personal devices?
- Will you offer loaner devices for employees if their phone or tablet is being serviced?
- Do you support a ‘wipe and reconfigure’ structure?
Providing a strict outline of the BYOD policy will emphasise the importance of the security measures required to avoid a healthcare data breach. And it is vital that employees abide by the policy to safeguard against any potential threats caused by weaknesses through the devices.
8. Modernise IT Infrastructure
Though it’s common to see dated computer hardware in hospital environments, it’s important to keep the equipment secure. Chris Romeo has spent 20 years in the field of computer security and mentions that Windows XP is still alive and well in many hospitals.
However, with Microsoft having ceased support for this system, no new security patches are being made available, suggesting a healthcare data breach could be unavoidable for XP users.
He emphasises the importance of prioritising the healthcare data that is at risk. Hospitals are data banks of highly sensitive information, and if someone steals your confidential medical record, you can’t take that information out of circulation.
9. Invest in IT staff to defend these networks
It’s no secret that hospitals are in need of more nurses and doctors, but that also applies to those that support a hospitals administration.
The value placed on the work IT staff, and the importance of their preventative measures, should be second only to how highly hospital organisation value their medical data.
Kevin Mass, the Health Tech Guy, comments on how it’s important to hire a team to prevent cyber attacks, so that any chances of a healthcare data breach can be mitigated. A dedicated data protection team can also reiterate the seriousness of the matter by making sure staff are aware and vigilant against threats at all times.
10. Hire a good legal team
Most importantly, make sure you have a good legal representative on standby. In the event that you suffer a data breach, it’s better to prepare for the worst.
In cases of healthcare data breaches, law firms foresee opportunities to pursue significant damages for their claimants and given that there have been several serious cases in the last decade – many of which could have been preventable. It’s also likely that you’ll hear from lawyers representing patients, too, so be prepared.
Proving neglect can be difficult in some cases as even organisations in full compliance with the law have suffered security breaches.
Regardless of what happens, it’s better to accept the situation and deal with it with respect given the sensitive circumstances.
The biggest healthcare data breaches (so far)
If you’re still not to convinced you need to plan and structure your security operations correctly, take a look below at the five of the most serious healthcare data breaches in the last decade:
The University of California, Los Angeles Health (July 2015)
How many affected:4.5 million
Hackers managed to gain access to the records of 4.5 million patients at the UCLA healthcare organisation. And if that wasn’t bad enough, UCLA then admitted it had not encrypted any of its patient data, quickly triggering severe criticism from healthcare data breach experts.
TRICARE (September 2011)
How many affected: 4.9 million
In 2011, TRICARE’s data security provider, Science Applications International Corporation (SAIC), confessed to a healthcare data breach that affected around 4.9 million military clinic and hospital patients, who registered with the federal government’s military healthcare provider.
Shockingly, the data came from a SAIC employee’s car, and victims of this particular data breach also included retired military workers and their families, as well as active workers.
While there was no financial data exposed, the sensitive information did include social security numbers, phone numbers, and home addresses.
Excellus Bluecross Blueshield (September 2015)
How many affected: 10 million
People affected: 10 million
After many cyber attacks in early 2015, Excellus conducted a forensic review of their systems and discovered they had also been the victim of a cyber attack.
The attack claimed the private information of around 10 million members, making it the third-largest healthcare data breach to date.
The breach, which left sensitive information including medical data, social security numbers, and financial information exposed, could have occurred as far back as December 2013, and went two years without being noticed.
Premera Blue Cross (January 2015)
How many affected: 11+ million
The Premera Blue Cross cyberattack exposed the medical records of 11 million customers. The vulnerable information accessed included bank account numbers, social security numbers, dates of births, and information on patient claims.
The attack on Premera ranks as the second-largest healthcare data breach to date and occurred just six weeks after the discovery of the most significant healthcare data breach in history.
Anthem Blue Cross (January 2015)
How many affected: 78.8 million
It wasn’t a good start to 2015 for the healthcare industry as Anthem Blue Cross announced that 78.8 million patient records had been stolen.
The stolen information included names, social security numbers, home addresses, and dates of birth of Anthem health plan members.
This particular healthcare data breach was especially damaging for Anthem, as they also managed paperwork for several independent insurance companies.
Did we miss any key advice that your company follows to protect itself against data breaches? Comment below and give other businesses the chance to stop security breaches, and don’t forget to sign up for the Churchill Frank blog for all the latest news.