By Mark Hickman, COO, WinMagic
Given the rise of mobile computing and bring-your-own-device (BYOD) policies in healthcare, today patient data resides everywhere – desktops, laptops, smartphones, tablets and USB drives.
Gone are the days where personal health information lived solely in a giant filing cabinet. Although this shift has improved communications throughout the system, the once straightforward process of protecting a patient’s private health information has evolved into a complex and overwhelming undertaking.
According to recent industry research conducted by Ponemon, an independent institute for privacy, data protection and information security policy, 91 percent of healthcare organizations and 59 percent of their business associates have had at least one data breach
involving the loss or theft of patient data in the past 24 months. This rise of data breaches doesn’t seem to be slowing down. In fact, the Office of Civil Rights (OCR), reported 2015 was met with 253 healthcare breaches
that impacted approximately 500 individuals, totaling a combined loss of over 112 million records.
When we refer to personal health information at risk, we’re not just talking about historical health records – the potential for a data breach casts a much wider net, including patient billing information, clinical trial data and even employee information like payroll numbers. With so much sensitive, unprotected data up for grabs, we’re inclined to ask ourselves – why?
Why does this keep happening, and what can we do to fix it?
Although there is no “quick-fix” solution to this growing problem, there are actions healthcare organizations can begin to take now that, over time, will help solve the data breach problem.
1. Encrypt everything
Experts believe personal health information (PHI) is so attractive due to the high profitability of the personal and financial information contained within medical records. As a result, health providers should exercise the concepts of “encrypt everything” and intelligent key management, both of which must be handled separately. Isolating the encrypted data from the encryption key will prevent a security compromise from occurring.
2. Enforce policies on lost or stolen devices
Forty-three percent of data breaches are due to lost or stolen devices, with smartphones and tablets outranking desktop and laptop computers as the devices most likely to go missing. There are numerous examples of employee negligence-related data leakage. At Oregon Health & Science University (OHSU) the PHI of approximately 1,000 patients was exposed when an unencrypted laptop was stolen from an employee’s car. In a separate breach, also at OHSU, the PHI of 14,000 patients was compromised when an unencrypted thumb drive was stolen from an employee who brought it home without authorization.
Even when devices are stolen, encryption can prevent data getting into the wrong hands. This makes it vital for organizations to not only implement clearly-defined procedures for protecting mobile and employee-owned devices, but also to enforce them.
3. Exercise caution when accessing foreign networks
In a Cisco report on BYOD, 59 percent of respondents who used smartphones to access PHI said the smartphones were not password protected, 53 percent of respondents accessed unsecured or foreign Wi-Fi networks, and 48 percent of respondents could not confirm if they disabled “discovery mode” on their Bluetooth devices and smartphones, which makes these devices extremely vulnerable to a cyber-attack. Many healthcare roundtable participants also reported that it was not uncommon for doctors to email PHI to personal email addresses (a known HIPAA violation) which opens yet another opportunity for access to unencrypted PHI.
IT departments at healthcare organizations should enforce strict requirements with respect to health care providers accessing PHI via mobile devices.
4. Beware of medical devices and mobile apps
Be careful when downloading apps and monitor all technology involved in the healthcare environment. Shockingly, nearly 20 percent of breaches within the health sector are caused by insecure mobile apps and medical devices.
5. Data storage in the cloud
A third of healthcare organizations say that when it comes to data security, they are most concerned about the use of public cloud services. However, it is not just public services that should be of concern. With respect to private cloud storage providers, there can be a range of solutions and variances in the types and implementation of security measures. Because HIPAA rules apply to business associates and their subcontractors or vendors, it’s important that all cloud service providers contractually agree to adhere to HIPAA standards.
If healthcare organizations allow the implementation of cloud-based applications such as enterprise file sync and share services, IT departments should ensure that a solution is in place that will encrypt files at the endpoint before being pushed to the cloud.
The time has come for healthcare organizations and their business associates to consider stronger preventative security measures. Decision-makers must invest in internal strategies that can be widely implemented and enforced, such as: security education training for internal staff, restricting certain user access, revising contracts with business associates and subcontractors to properly ensure that all practices meet federal guidelines and, of course, encrypt everything.
For more information on how ways healthcare organizations can educate themselves on better security practices, please visit: https://www.winmagic.com/healthcare/ebook