Protecting data in the healthcare industry is no easy feat. Healthcare providers and their business associates must balance protecting patient privacy while delivering quality patient care and meeting the strict regulatory requirements set forth by HIPAA and other regulations, such as the EU’s General Data Protection Regulation (GDPR). Because protected health information (PHI) is among an individual’s most sensitive (and for criminals, valuable) private data, the guidelines for healthcare providers and other organizations that handle, use, or transmit patient information include strict data protection requirements that come with hefty penalties and fines if they’re not met.
Rather than mandating the use of certain technologies, HIPAA requires covered entities to ensure that patient information is secure, accessible only by authorized persons, and used only for authorized purposes, but it’s up to each covered entity to determine what security measures to employ to achieve these objectives.
As a result of increasing regulatory requirements for healthcare data protection, healthcare organizations that take a proactive approach to implementing best practices for healthcare security are best equipped for continued compliance and at lower risk of suffering costly data breaches. In this guide, we’ll discuss 10 data protection best practices for healthcare organizations including:
- Educating Healthcare Staff
- Restricting Access to Data and Applications
- Implementing Data Usage Controls
- Logging and Monitoring Use
- Encrypting Data
- Securing Mobile Devices
- Mitigating Connected Device Risks
- Conducting Regular Risk Assessments
- Utilizing Off-Site Data Backup
- Carefully Evaluating the Compliance of Business Associates
Let’s take a look at the HIPAA Privacy and Security Rules and how these 10 best practices can help healthcare organizations maintain compliance while protecting sensitive health information.
HIPAA Privacy and Security Rules
HIPAA regulations have the biggest impact on healthcare providers in the U.S., although other regulations like the forthcoming GDPR have an impact on global operations. It’s up to healthcare providers and business associates to ensure that they’re up-to-date on the latest requirements and select vendors and business associates that likewise are in compliance with these regulations. HIPAA includes two key components related to healthcare data protection:
- The HIPAA Security Rule – Focuses on securing the creation, use, receipt, and maintenance of electronic personal health information by HIPAA-covered organizations. The Security Rule sets guidelines and standards for administrative, physical, and technical handling of personal health information.
- The HIPAA Privacy Rule – Requires safeguards to protect the privacy of personal health information including medical records, insurance information, and other private details. The Privacy Rule limits what information may be used (and in what manner) and disclosed to third parties without prior patient authorization.
The HIPAA Privacy Rule relates primarily to operational situations, preventing providers and their business associates from using a patient’s PHI in ways not previously agreed upon by the patient and limiting the information that can be shared with other entities without prior authorization. The HIPAA Security Rule is focused more on the technical aspects of safeguarding personal health information and sets standards and regulations for how health information should be protected to ensure the integrity and confidentiality of healthcare data.
Increased Use of Electronic Health Records Drives Healthcare Risk and Data Breaches
According to research published in 2016 from the Ponemon Institute, criminal attacks have increased by 125% since 2010 and now represent the leading cause of healthcare data breaches. What’s more, healthcare organizations are largely unprepared to protect patient data against an ever-changing landscape of security threats.
Ponemon surveyed 91 entities covered by HIPAA as well as 84 business associates (vendors and other organizations that handle patient data), finding that 89% had experienced a healthcare data breach, and a full 50% of those breaches are attributable to criminal attacks. Most breaches were small, impacting fewer than 500 patient records, but some were large and quite costly. The average cost of a healthcare data breach impacting a healthcare organization between 2014 and 2015 was $2.2 million, while breaches impacting business associates averaged over $1 million.
To adequately protect data from cybercriminals, healthcare organizations and business associates must implement robust security measures to protect patient data from an increasing number and variety of threats. Vulnerabilities in wireless networks, for instance, offer an easy entry point for hackers, yet these networks are of critical importance to healthcare organizations, making it easier to access patient information and optimize the delivery of care.
How to Protect Healthcare Data
These best practices for healthcare cybersecurity aim to keep pace with the evolving threat landscape, addressing threats to privacy and data protection on endpoints and in the cloud, and safeguarding data while it’s in transit, at rest, and in use. This requires a multi-faceted, sophisticated approach to security.
1. Educate Healthcare Staff
The human element remains one of the biggest threats to security across all industries, but particularly in the healthcare field. Simple human error or negligence can result in disastrous and expensive consequences for healthcare organizations. Security awareness training equips healthcare employees with the requisite knowledge necessary for making smart decisions and using appropriate caution when handling patient data.
2. Restrict Access to Data and Applications
Implementing access controls bolsters healthcare data protection by restricting access to patient information and certain applications to only those users who require access to perform their jobs. Access restrictions require user authentication, ensuring that only authorized users have access to protected data. Multi-factor authentication is a recommended approach, requiring users to validate that they are in fact the person authorized to access certain data and applications using two or more validation methods including:
- Information known only to the user, such as a password or PIN number
- Something that only the authorized user would possess, such as a card or key
- Something unique to the authorized user, such as biometrics (facial recognition, fingerprints, eye scanning)
3. Implement Data Usage Controls
Protective data controls go beyond the benefits of access controls and monitoring to ensure that risky or malicious data activity can be flagged and/or blocked in real time. Healthcare organizations can use data controls to block specific actions involving sensitive data, such as web uploads, unauthorized email sends, copying to external drives, or printing. Data discovery and classification play an important supporting role in this process by ensuring that sensitive data can be identified and tagged to receive the proper level of protection.
4. Log and Monitor Use
Logging all access and usage data is also crucial, enabling providers and business associates to monitor which users are accessing what information, applications, and other resources, when, and from what devices and locations. These logs prove valuable for auditing purposes, helping organizations identify areas of concern and strengthen protective measures when necessary. When an incident occurs, an audit trail may enable organizations to pinpoint precise entry points, determine the cause, and evaluate damages.
5. Encrypt Data at Rest and in Transit
Encryption is one of the most useful data protection methods for healthcare organizations. By encrypting data in transit and at rest, healthcare providers and business associates make it more difficult (ideally impossible) for attackers to decipher patient information even if they gain access to the data. HIPAA offers recommendations but doesn’t specifically require healthcare organizations to implement data encryption measures; instead, the rule leaves it up to healthcare providers and business associates to determine what encryption methods and other measures are necessary or appropriate given the organization’s workflow and other needs.
Health IT Security outlines the two key questions that healthcare organizations should ask in determining an appropriate level of encryption and when encryption is needed, as recommended in the HHS HIPAA Security Series:
- In order to prevent unauthorized access to ePHI (either by unauthorized persons or applications), what data should be encrypted and decrypted?
- What methods of decryption and encryption are necessary, reasonable, and appropriate in the context in order to prevent unauthorized persons and applications from gaining access to sensitive health information?
6. Secure Mobile Devices
Increasingly, healthcare providers and covered entities utilize mobile devices in the course of doing business, whether it’s a physician using a smartphone to access information to help them treat a patient or an administrative worker processing insurance claims. Mobile device security alone entails a multitude of security measures, including:
- Managing all devices, settings, and configurations
- Enforcing the use of strong passwords
- Enabling the ability to remotely wipe and lock lost or stolen devices
- Encrypting application data
- Monitoring email accounts and attachments to prevent malware infections or unauthorized data exfiltration
- Educating users on mobile device security best practices
- Implementing guidelines or whitelisting policies to ensure that only applications meeting pre-defined criteria or having been pre-vetted can be installed
- Requiring users to keep their devices updated with the latest operating system and application updates
- Requiring the installation of mobile security software, such as mobile device management solutions
7. Mitigate Connected Device Risks
When you think of mobile devices, you probably think of smartphones and tablets. But the rise of the Internet of Things (IoT) means that connected devices are taking all kinds of forms. In the healthcare field, everything from medical devices like blood pressure monitors to the cameras used to monitor physical security on the premises may be connected to a network. To maintain adequate connected device security:
- Maintain IoT devices on their own separate network
- Continuously monitor IoT device networks to identify sudden changes in activity levels that may indicate a breach
- Disable non-essential services on devices before using them, or remove non-essential services entirely before use
- Use strong, multi-factor authentication whenever possible
- Keep all connected devices up-to-date to ensure that all available patches are implemented
8. Conduct Regular Risk Assessments
While having an audit trail helps to identify the cause and other valuable details of an incident after it occurs, proactive prevention is equally important. Conducting regular risk assessments can identify vulnerabilities or weak points in a healthcare organization’s security, shortcomings in employee education, inadequacies in the security posture of vendors and business associates, and other areas of concern. By evaluating risk across a healthcare organization periodically to proactively identify and mitigate potential risks, healthcare providers and their business associates can better avoid costly data breaches and the many other detrimental impacts of a data breach, from reputation damage to penalties from regulatory agencies.
9. Back up Data to a Secure, Offsite Location
Cyberattacks can expose sensitive patient information but they can also compromise data integrity or availability – look no further than ransomware for an example of the impact these incidents can have. Even a natural disaster impacting a healthcare organization’s data center can have disastrous consequences if data isn’t properly backed up. That’s why frequent offsite data backups are recommended, with strict controls for data encryption, access, and other best practices to ensure that data backups are secured. Offsite data backups are an essential component of disaster recovery, too.
10. Carefully Evaluate the Security and Compliance Posture of Business Associates
Because healthcare information is increasingly transmitted between providers and among covered entities for the purposes of facilitating payments and delivering care, a careful evaluation of all potential business associates is one of the most crucial security measures healthcare organizations can take. The HIPAA Omnibus Rule strengthened the previous guidelines and clarified definitions of business associates, providing better guidance on the relationships in which contracts are required. The HIPAA Survival Guide summarizes these clarifications and changes including:
- The conduit exception applies to organizations that transmit PHI but do not maintain and store it. Organizations that merely transmit data are not considered business associates, while those that maintain and store PHI are considered business associates.
- Third-party applications and services such as Google Apps are considered business associates when those services or apps are used to maintain PHI. In such cases, the third-party service would be considered a business associate, and therefore, a contract would be required. The HIPAA Survival Guide aptly points out that as more organizations make use of the cloud, they should be mindful of all instances that would make a vendor a business associate and the likelihood of those vendors to enter into the required contract.
- Any subcontractors who create or maintain PHI are subject to compliance regulations. This change alone has a substantial trickle-down effect and is a serious consideration for all healthcare organizations.
- All covered entities must obtain “satisfactory assurances” from all vendors, partners, subcontractors, and the like that PHI will be adequately protected. Liability follows PHI wherever it travels.
- There are some exceptions. As the HIPAA Survival Guide explains, “in general, a person or entity is a Business Associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a Covered Entity, such as payment or healthcare operations; therefore a researcher is NOT automatically a Business Associate of a Covered Entity despite the fact that it may be using the Covered Entity's Protected Health Information.”
As is clear from the above clarifications, the privacy and security requirements for HIPAA compliance hinge not only on the activities conducted by a healthcare organization itself, but also by any ancillary organizations that it conducts business with and third-party services it utilizes. In other words, one organization’s compliance relies substantially on its ability to choose and partner with vendors that engage in similarly robust healthcare data protection measures. What’s more, healthcare organizations that take data protection seriously should recognize that while HIPAA and other regulatory compliance initiatives are a good starting place for building a data protection program and avoiding costly penalties, efforts should go beyond compliance to ensure that sensitive data is protected against today’s threats.
