Tips for Securing Private Health Data
Protecting data in the healthcare industry is no easy feat. Healthcare providers and their business associates must balance protecting patient privacy while delivering quality patient care and meeting the strict regulatory requirements set forth by HIPAA and other regulations, such as the EU’s General Data Protection Regulation (GDPR). Because protected health information (PHI) is among an individual’s most sensitive (and for criminals, valuable) private data, the guidelines for healthcare providers and other organizations that handle, use, or transmit patient information include strict data protection requirements that come with hefty penalties and fines if they’re not met.
Rather than mandating the use of certain technologies, HIPAA requires covered entities to ensure that patient information is secure, accessible only by authorized persons, and used only for authorized purposes, but it’s up to each covered entity to determine what security measures to employ to achieve these objectives.
As a result of increasing regulatory requirements for healthcare data protection, healthcare organizations that take a proactive approach to implementing best practices for healthcare security are best equipped for continued compliance and at lower risk of suffering costly data breaches. In this guide, we’ll discuss 10 data protection best practices for healthcare organizations including:
Educating Healthcare Staff
Restricting Access to Data and Applications
Implementing Data Usage Controls
Logging and Monitoring Use
Encrypting Data
Securing Mobile Devices
Mitigating Connected Device Risks
Conducting Regular Risk Assessments
Utilizing Off-Site Data Backup
Carefully Evaluating the Compliance of Business Associates
Let’s take a look at the HIPAA Privacy and Security Rules and how these 10 best practices can help healthcare organizations maintain compliance while protecting sensitive health information.
HIPAA Privacy and Security Rules
HIPAA regulations have the biggest impact on healthcare providers in the U.S., although other regulations like the forthcoming GDPR have an impact on global operations. It’s up to healthcare providers and business associates to ensure that they’re up-to-date on the latest requirements and select vendors and business associates that likewise are in compliance with these regulations. HIPAA includes two key components related to healthcare data protection:
The HIPAA Privacy Rule relates primarily to operational situations, preventing providers and their business associates from using a patient’s PHI in ways not previously agreed upon by the patient and limiting the information that can be shared with other entities without prior authorization. The HIPAA Security Rule is focused more on the technical aspects of safeguarding personal health information and sets standards and regulations for how health information should be protected to ensure the integrity and confidentiality of healthcare data.
Increased Use of Electronic Health Records Drives Healthcare Risk and Data Breaches
According to research published in 2016 from the Ponemon Institute, criminal attacks have increased by 125% since 2010 and now represent the leading cause of healthcare data breaches. What’s more, healthcare organizations are largely unprepared to protect patient data against an ever-changing landscape of security threats.
Ponemon surveyed 91 entities covered by HIPAA as well as 84 business associates (vendors and other organizations that handle patient data), finding that 89% had experienced a healthcare data breach, and a full 50% of those breaches are attributable to criminal attacks. Most breaches were small, impacting fewer than 500 patient records, but some were large and quite costly. The average cost of a healthcare data breach impacting a healthcare organization between 2014 and 2015 was $2.2 million, while breaches impacting business associates averaged over $1 million.
To adequately protect data from cybercriminals, healthcare organizations and business associates must implement robust security measures to protect patient data from an increasing number and variety of threats. Vulnerabilities in wireless networks, for instance, offer an easy entry point for hackers, yet these networks are of critical importance to healthcare organizations, making it easier to access patient information and optimize the delivery of care.
How to Protect Healthcare Data
These best practices for healthcare cybersecurity aim to keep pace with the evolving threat landscape, addressing threats to privacy and data protection on endpoints and in the cloud, and safeguarding data while it’s in transit, at rest, and in use. This requires a multi-faceted, sophisticated approach to security.
1. Educate Healthcare Staff
The human element remains one of the biggest threats to security across all industries, but particularly in the healthcare field. Simple human error or negligence can result in disastrous and expensive consequences for healthcare organizations. Security awareness training equips healthcare employees with the requisite knowledge necessary for making smart decisions and using appropriate caution when handling patient data.
2. Restrict Access to Data and Applications
Implementing access controls bolsters healthcare data protection by restricting access to patient information and certain applications to only those users who require access to perform their jobs. Access restrictions require user authentication, ensuring that only authorized users have access to protected data. Multi-factor authentication is a recommended approach, requiring users to validate that they are in fact the person authorized to access certain data and applications using two or more validation methods including:
3. Implement Data Usage Controls
Protective data controls go beyond the benefits of access controls and monitoring to ensure that risky or malicious data activity can be flagged and/or blocked in real time. Healthcare organizations can use data controls to block specific actions involving sensitive data, such as web uploads, unauthorized email sends, copying to external drives, or printing. Data discovery and classification play an important supporting role in this process by ensuring that sensitive data can be identified and tagged to receive the proper level of protection.
4. Log and Monitor Use
Logging all access and usage data is also crucial, enabling providers and business associates to monitor which users are accessing what information, applications, and other resources, when, and from what devices and locations. These logs prove valuable for auditing purposes, helping organizations identify areas of concern and strengthen protective measures when necessary. When an incident occurs, an audit trail may enable organizations to pinpoint precise entry points, determine the cause, and evaluate damages.
5. Encrypt Data at Rest and in Transit
Encryption is one of the most useful data protection methods for healthcare organizations. By encrypting data in transit and at rest, healthcare providers and business associates make it more difficult (ideally impossible) for attackers to decipher patient information even if they gain access to the data. HIPAA offers recommendations but doesn’t specifically require healthcare organizations to implement data encryption measures; instead, the rule leaves it up to healthcare providers and business associates to determine what encryption methods and other measures are necessary or appropriate given the organization’s workflow and other needs.
Health IT Security outlines the two key questions that healthcare organizations should ask in determining an appropriate level of encryption and when encryption is needed, as recommended in the HHS HIPAA Security Series:
6. Secure Mobile Devices
Increasingly, healthcare providers and covered entities utilize mobile devices in the course of doing business, whether it’s a physician using a smartphone to access information to help them treat a patient or an administrative worker processing insurance claims. Mobile device security alone entails a multitude of security measures, including:
7. Mitigate Connected Device Risks
When you think of mobile devices, you probably think of smartphones and tablets. But the rise of the Internet of Things (IoT) means that connected devices are taking all kinds of forms. In the healthcare field, everything from medical devices like blood pressure monitors to the cameras used to monitor physical security on the premises may be connected to a network. To maintain adequate connected device security:
8. Conduct Regular Risk Assessments
While having an audit trail helps to identify the cause and other valuable details of an incident after it occurs, proactive prevention is equally important. Conducting regular risk assessments can identify vulnerabilities or weak points in a healthcare organization’s security, shortcomings in employee education, inadequacies in the security posture of vendors and business associates, and other areas of concern. By evaluating risk across a healthcare organization periodically to proactively identify and mitigate potential risks, healthcare providers and their business associates can better avoid costly data breaches and the many other detrimental impacts of a data breach, from reputation damage to penalties from regulatory agencies.
9. Back up Data to a Secure, Offsite Location
Cyberattacks can expose sensitive patient information but they can also compromise data integrity or availability – look no further than ransomware for an example of the impact these incidents can have. Even a natural disaster impacting a healthcare organization’s data center can have disastrous consequences if data isn’t properly backed up. That’s why frequent offsite data backups are recommended, with strict controls for data encryption, access, and other best practices to ensure that data backups are secured. Offsite data backups are an essential component of disaster recovery, too.
10. Carefully Evaluate the Security and Compliance Posture of Business Associates
Because healthcare information is increasingly transmitted between providers and among covered entities for the purposes of facilitating payments and delivering care, a careful evaluation of all potential business associates is one of the most crucial security measures healthcare organizations can take. The HIPAA Omnibus Rule strengthened the previous guidelines and clarified definitions of business associates, providing better guidance on the relationships in which contracts are required. The HIPAA Survival Guide summarizes these clarifications and changes including:
As is clear from the above clarifications, the privacy and security requirements for HIPAA compliance hinge not only on the activities conducted by a healthcare organization itself, but also by any ancillary organizations that it conducts business with and third-party services it utilizes. In other words, one organization’s compliance relies substantially on its ability to choose and partner with vendors that engage in similarly robust healthcare data protection measures. What’s more, healthcare organizations that take data protection seriously should recognize that while HIPAA and other regulatory compliance initiatives are a good starting place for building a data protection program and avoiding costly penalties, efforts should go beyond compliance to ensure that sensitive data is protected against today’s threats.