The high cost of healthcare data breaches is enough to make any hospital administrator sick. On average, the cost for failing to protect patient information is $717,000 per incident.
Learning how to protect patient health information is nearly as troubling. The healthcare industry specializes in keeping people well, not in securing data networks.
As medical data breaches increasingly make the headlines, deciding how to secure your medical record data can be a daunting task.
In this article, we take a close look at 15 things you can do to help keep your data secure. Whether you are a hospital administrator or run your own dental practice, the steps we discuss can help protect your patient files.
Among the topics we will cover, you will learn how to:
- Get staff and management onboard with security awareness.
- Determine your data security vulnerabilities so you can fix them.
- Create a plan for hardening your data assets.
- Develop security policies.
- Choose the right technology to secure your networks.
- Avoid common mistakes that let hackers in.
- Find the right security experts to help accomplish your goals.
Feel better already? Let’s get started.
1. Develop a Security Culture Mindset
The first step toward improving your healthcare IT security has nothing to do with servers or software. It involves a greater challenge than your technology will ever present. It is building a security culture that permeates every level of your organization.
In other words, you are going to have to change attitudes.
You might think it will be easier to build security awareness within your organization after you have completed your security upgrade. In reality, without a commitment from managers, doctors, nurses, office staff, and vendors, you are wasting your time to even try.
The reason this is true lies in one inescapable fact:
The best technology and policies in the world cannot protect your data, if your people don’t follow the rules.
Making sure data security best practices are followed throughout your organization is a process, and it will take time, planning, and money to make it happen. While every organization is different, the basic steps toward greater data security are as follows:
- Make sure ownership and management is onboard. A top-down initiative is necessary to overcome reluctance at lower levels of your company.
- Educate stakeholders on the need to improve data security, and the risks of failing to do so.
- Inform stakeholders of the plan you expect to follow to strengthen data security, but explain that the plan may be modified along the way.
- Make it clear to employees that there may be changes in how they perform their jobs, but that compliance is mandatory.
- Help employees understand what data security means to patients, to the organization, and to their jobs.
- Stress the positive benefits of working in a security-conscious medical facility.
Let everyone know about the following steps ahead of time will help. This will help prepare them to cooperate during the transition from legacy systems and outdated methods of handling patient information.
2. Perform a Security Risk Assessment
Once you have informed the organization that data security will be upgraded, it is time to bring in a reputable IT security company to perform a Security Risk Assessment. This assessment cannot likely be performed by your own IT department. A thorough evaluation of your operation requires specialized expertise most IT techs do not possess.
In fact, you need to seek out a company that has experience in healthcare IT security. Both the U.S. and Europe have stringent laws regarding the handling and security of Patient Health Information (PHI). Your risk assessment provider must be familiar with these regulations in order to ensure your compliance and theirs.
A good risk assessment company will send a team of two or more security professionals into your facility. They will methodically study your systems and processes before making any recommendations.
The assessment process will require them to have access to your critical systems, and to your IT department’s most coveted security secrets. Full access and complete cooperation is necessary for the team to make an accurate assessment of your data security needs.
The result of the assessment will be a detailed report, which will consist of at least several hundred pages.
A greatly-abbreviated list of what the assessment team will look at might include:
- Non-existent or inadequate security policies and procedures.
- Lack of data encryption.
- Weak or repeated passwords.
- Inadequate security software.
- Lack of hardware firewalls.
- Third-party vendor risks.
Depending on the size of your healthcare organization, the assessment may take from a few weeks to several months.
3. Develop a PHI Security Improvement Plan
You will use the recommendations of the risk assessment company as the basis for a PHI Security Improvement Plan. Yours might be called the IT Security Improvement Plan, or something similar. Whatever you choose to call it, this will be the master plan you follow in order to harden your data security methods.
The plan needs to include every suggestion made by the assessors, and a detailed step-by-step breakdown of the process you will follow.
At a minimum, your plan must include:
- A full list of changes recommended by the risk assessment team.
- A list of any additional recommendations from management.
- A list of requests or recommendations made by your IT department or IT service provider.
- A list of hardware and software you will need to purchase.
- A list of existing hardware and software you need to upgrade, replace, or remove.
- A list of third-party vendors needed to fulfill your plan.
- The vetting methods to be used in selecting vendors.
- Costs breakdown of every phase of the plan.
- Well-defined processes for transitioning with a minimum impact to daily operations.
- A complete description of training needs to accomplish the transition.
- Detailed timelines for each stage of the plan.
Creating your plan will be a lengthy and involved process. However, the plan is the roadmap toward implementing the changes you will make, so there is no benefit in cutting corners in its development.
Government regulations control how you may and may not use and share your patient data. Even so, you have a legal obligation to inform your patients of the following:
- What information you collect from them.
- How you use that information.
- With whom you share patient information.
- Under what circumstances you share it.
- Depending on the laws of your country, state, and region, you might be obligated to also inform patients of their right to decide how you may handle their data.
Patient rights vary greatly from country to country, even from state to state within the U.S.
You will need to post your policy on your company website, and have, at least, a summary of it posted conspicuously within your facility. Government regulations or other regulatory agency requirements might have other requirements.
5. Develop Security-Centric Workflow Processes
“Workflow” is one of the latest buzzwords. There are data-centric workflows, patient-centric workflows, document-centric workflows, and who knows what else.
Whether or not it is a buzzword, it is crucial that you adopt a security-centric workflow for your organization.
What I mean is this. You must examine every (yes, every) job within your healthcare facility to see where data security measures must be inserted in the job processes. A good risk assessment will identify most of these needs.
To help clarify, here are a few examples where changes in work processes might be necessary:
- Making data compartmentalized helps keep it secure. For example, personnel at the check-in desk should not have access to information beyond what is necessary to check the patient into the facility. Or, changes may need to be made so that clinical staff do not have access to patient payment information.
- Many breaches occur because hackers access employee emails. Look for opportunities where patient data might be unnecessarily included in emails, and eliminate them. Seek a more secure way for that data to be shared with authorized persons.
- Oddly enough, laptops stolen from cars and homes of healthcare employees has accounted for hundreds of thousands of medical records being compromised. Make whatever changes are needed to eliminate the opportunity for PHI data to leave your facility on mobile devices or laptop computers.
Hardware and software, alone, do not make your data safe. You need work processes that have been thoroughly examined and fine-tuned to prevent opportunities for data breaches.
6. Train Staff on Security Best Practices
Whole books have been written on best practices for IT security. Moreover, General Data Protection Regulation (GDPR) of Europe, and similar compliance requirements force certain organizations to follow best practices with respect to data security.
You are not likely to train your clinic-level employees on the full scope of GDPR regulations. You can, however, train them on avoiding common mistakes that can lead to data breaches.
Here are but a few best practices you might need to engrain in your staff:
- Phishing Emails. Several major breaches occurred because clinic employees fell victim to phishing emails. These scams appear to be legitimate requests for the employee to verify account credentials. In other cases, emails include a link to a fake login page, which tricks employees into typing in their login credentials. In the process, they send account login information to a hacker. You must train your staff on recognizing phishing scams.
- Leaving data exposed. In more than one case, employees leaving workstations unattended without logging off has compromised patient data.
- Timeouts. Make sure you have a policy that requires staff to log off when leaving a workstation, or have your IT department cause all sessions to timeout if there has been no activity within a few minutes.
Your risk assessment report will likely suggest plenty of other opportunities to improve employee risk awareness.
7. Develop Third-Party/Vendor PHI Compliance Requirements
Even the smallest dental practice must contract with outside service providers. When those providers’ jobs expose them to healthcare networks, computers, or website backends, the risks to patient confidentiality and medical data must be evaluated and mimized.
In several notable cases where medical data was compromised, the breach resulted from carelessness on the part of a third-party service provider.
In fact, the GDPR heavily restricts how data may be shared with 3rd parties, virtually killing the marketing of personal information as a commodity.
Allowing third-parties to access patient data even for legitimate purposes requires careful study of GDPR language, some head-scratching, and probably the advice of an attorney.
In the U.S., things are a bit less complicated. The Health Insurance Portability and Accountability Act (HIPPA) has similarly strict requirements. Even so, third-party service providers can usually comply with HIPPA requirements by signing an agreement promising to do so.
Regardless of whatever regulatory requirements may apply in your situation, you are ultimately responsible for who you allow to access your networks and computers.
Whether it is a risk assessment company, a contract database engineer, or a contract IT service provider, you need a vetting process for picking your service providers.
Reference checks, time-in-business, and technical qualifications are the minimum considerations. You also have the right to request more-specific background checks on individual technicians or engineers who may be sent to your facility by your service provider.
Setting requirements that satisfy the law, and your own good judgment, is necessary. Equally important is that you write the vetting requirements for vendors into your policies.
8. Store Medical Data in the Cloud
The subject of cloud storage is for some, well…cloudy. The confusion lies in conflicting opinions on whether cloud storage is a pro or a con for data security.
Whatever the true answer is, here is some food for thought as you consider moving your client data to cloud storage:
- It is easier to secure and monitor one or two cloud servers than dozens or hundreds of PCs that store patient data.
- There are private and public clouds. Private clouds offer much better security, but you would host and manage your own cloud, rather than contracting with a public cloud service provider such as Amazon or IBM.
- While cloud storage is not immune from data breaches, statistically your data is at a much greater risk if stored locally.
Not all cloud service providers are the same. Major providers of cloud services such as Amazon and IBM even host military clients, if that makes you more comfortable using their services.
9. Use Blockchain Technology to Store Medical Data
Blockchain and cloud storage are often thought to be the same thing. They are not.
Cloud storage is just that — storage: a place to store your data. In fact, you can store patient data in a cloud account just the same as you would on your own file server, without using a blockchain. But it would be a bad idea to do so.
Blockchains, for those who don’t know, represent the most secure method of storing data ever devised. Although vulnerabilities in smart contract code have resulted in breaches, there have been no verified breaches of a major blockchain such as Ethereum.
If you are going to move your PHI database to a cloud-based platform, consider a blockchain mandatory.
Here are just a few of the advantages blockchains offer:
- Improved security. All data is automatically encrypted, date and time-stamped, and made part of an immutable record than cannot be breached by any known methods.
- Speed. Blockchain platforms run on top-of-the-line servers, which are superior in performance to most any machine you would have inhouse.
- Cost savings. A cloud-based blockchain can cost less than building or maintaining a conventional networked database with the same level of security.
Like all technologies, blockchains have disadvantages and advantages. If you are planning to upgrade your healthcare data security, expect blockchain to offer you far more of the latter.
10. Encrypt All Patient Data
In most of Europe, the law requires patient data to be encrypted when at rest and in transit. In the U.S., HIPPA also requires PHI data to be encrypted, unless the “covered entity” can prove that they have a legitimate reason not to use encryption.
If encryption is not used, say, because it would be too costly or too difficult to implement, a suitable alternative must be used to protect patient privacy and medical records.
If the cost of encryption solutions for medical data seems prohibitive, consider these costs:
- In the event of a breach, if your data is found to not be encrypted for whatever reason, you are liable for up to $50,000 per violation for failing to meet HIPPA compliance requirements.
- Companies in Europe that fail to report a breach are subject to fines equalling 2% of their global revenue.
- Canada’s Montfort Hospital was sued for $40 million because of a data breach.
Proper encryption of medical data makes it useless to a hacker, even if they gain access to it. For that reason, alone, you should make data encryption a requirement for your organization.
11. Contract with Medical Security Solutions Provider
Modern healthcare IT networks are complex combinations of workstations, servers, network components, and even Internet of Medical Things (IoMT) devices. Keeping your network online is the job of your IT department. Making sure your network is sufficiently hardened against attack should probably be the job of a security solution provider.
Just as you need an expert team to perform a risk assessment, you might need another to provide solutions to the problems they discover. In some cases, a company will offer both services, but rarely will a reputable company even try.
What are the advantages of outsourcing your data security responsibilities? Many, but here are a few things to think about:
- Security experts are more effective than most IT departments at keeping systems secure.
- A medical IT security provider will be dedicated solely to keeping your data and network secure. Your IT department can then focus on keeping your network running, and taking care of routine maintenance issues.
- The cost of contracting with cybersecurity professionals is far less than you would pay out in fines, settlements, and in lost business if you get hacked.
12. Consider Custom Software Solutions
Most security providers come with their own suite of IT security software. However, if you choose to handle your security inhouse, you have to provide your own.
Think carefully before automatically looking for off-the-shelf security software. There are some excellent packages on the market, but there is a chance none will meet all of your needs.
If you find that some aspect of your operation is not covered by the features of your security software, a custom solution may be just what you need.
Finding a software development company to create a solution for you will take some research, but can be well worth the investment in time and money.
An outsource provider will assess your needs, and will then write software that satisfies your particular application.
When looking for a custom developer, use this basic list to identify the right one:
- Make sure the company has been in business for a few years. You don’t want your network to be anyone’s testbed.
- Ask if the vendor has experience writing code for the medical industry.
- Look for a company that has a team of developers, rather than a solo developer.
- Check references!
A versatile solution provider will be able to write code for PCs, servers, mobile apps, databases, blockchains, and cloud-based platforms. You never know what you will need, so look for a company that isn’t just an app developer.
13. Develop an Incident Response Plan
Risk assessments, IT system upgrades, and Security Improvement Plans help to prevent you from being hacked. An Incident Response Plan kicks in if you are.
The response plan is a procedure that instructs staff and stakeholders on what to do if a data breach is suspected or confirmed.
At a minimum, your response plan should include the following:
- A definition of what constitutes a breach.
- How to report suspicious activity on the network.
- What happens when a breach has been verified.
- To whom a breach must be reported, internally and externally.
- Who is ultimately in charge of managing a breach.
- Who may talk with the press.
- How are affected patients notified, by whom, and when.
- How are systems isolated or shut down if a breach is detected.
- What is the process for operating the clinic if the network must be shut down.
Various templates are available online to help you create a breach response plan.
14. Avoid These Common Errors
Your security assessment will reveal most everything you need to do in order to maximize your data security. But, sadly, many smaller healthcare providers and private practices are not able to justify the cost for a professional risk assessment.
If that includes you, take heart. There are still some things you can do to significantly reduce the odds of having a data breach. Here are a few, summarized from our discussion:
- Train your staff on recognizing phishing emails. And while you are at it, make sure your IT department never sends emails asking employees to verify their login credentials.
- Institute a password policy that requires passwords to be a minimum length and to meet composition requirements.
- Force password changes every 90 days.
- Make sure all of your software has the latest updates.
- Do not allow employees to have PTI data on laptops that they could remove from the facility.
- When contracting with technology vendors, select only those who have excellent reputations.
- Avoid contracting with individuals, and chose larger companies, instead.
There is no substitute for a professional security risk assessment. However, performing these simple steps will significantly reduce your risk exposure.
15. Perform a Penetration Test
You have placed your patient data in a cloud-based blockchain. You have top-notch cyber security software on your local machines. Your staff is trained and committed to keeping every patient’s information secure.
Not quite. A crucial step remains, if you are serious about keeping your patient data safe.
Assuring that your healthcare network is sufficiently hardened requires stress-testing the system to reveal any weak points. Despite your best efforts, vulnerabilities can remain hidden, just waiting to be exploited by cybercriminals.
In many cases, intruders gain entry and quietly steal patient data for months before being discovered.
One of the most effective ways to detect weaknesses in your healthcare IT system is to try to break into it. Since most healthcare organizations employ IT technicians rather than IT security experts, testing your system probably means hiring a professional.
While some risk assessment companies perform penetration test, others so not. If yours doesn’t, you will need to add this extra step.
“White hat” hacking companies specialize in identifying deficiencies that “black hat” hackers could use to access their clients’ data. These services use the same advanced techniques as criminals to look for vulnerabilities, including:
- Performing SQL injections on your website.
- Testing employee responses to phishing emails.
- Password hacking.
- Testing for wifi exploits.
- Launching brute-force attacks on your system.
If a penetration test successfully breaches your system, the security experts will advise you on how to fix the problem.
How Ignite Can Help
Medical data security isn’t just big business. It’s your responsibility as a stakeholder in the healthcare industry. But knowing how to harden your networks without killing operational efficiency was not taught in medical school.
That is why you should know about Ignite. We are an outsource provider of custom software solutions for companies around the globe.
With R&D labs strategically located across Europe, we are well situated to develop your healthcare IT solution.
If the responsibility of keeping medical records safe from hackers is in your wheelhouse, contact us for a no-cost consultation.