An independent guest blogger wrote this blog.
These days, effective cybersecurity in healthcare is as critical as ever. Last year, more than 32 million patients had their personal and medical information stolen in data breaches across the United States. While moves are being made, the fact remains that healthcare providers still have many holes to plug when it comes to the illegal or accidental outpouring of patient data.
The issue is that current problems need to be solved now before hackers move on to new, more advanced attack strategies. The good news is that there are many methods currently available to mitigate the chances of data leakage if medical professionals are proactive enough to enforce them.
HIPAA on the front lines
When patients visit the doctor, they expect to go to a safe place where their best interests are always the top priority. To foster that confidence, the Health Insurance Portability and Accountability Act was created to protect patient data while also giving the patients control over who can see their information. Along with HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, encourages medical practices also to ensure that all technology they use is protected to eliminate wrongful data leakage.
Medical records contain an abundance of private information that can be used for any number of malicious means. Full medical records can often go for $1000 on the black market where the addresses, social security numbers, and financial information within can be used to create fake identification or take out large loans that can leave the patient in debt. If a hacker catches wind of a patient’s surgery date, they can even attempt to shut down hospital functions until a ransom is paid, like the $14K one paid by Columbia Surgical Specialists.
For these security reasons and to retain the trust of the patients, proper data security is essential, and it starts on the front lines. Nurse leaders should train their staff on how to retain patient confidentiality properly. When discussing the patients near the front desk, only use first names, and conversations should be had behind a closed door or as quietly as possible. Hard copies of patent data should never be left lying around, and your printer should be set to print pages facing down. The last thing you need is to have security precautions in place but still allow a criminal to simply walk up and take private information out of the office.
Proper record keeping
Because hackers have so much to gain from stealing patient data, proper record-keeping is essential. Per HIPAA, medical records are required to be kept between five to 10 years, based on the state and the patient’s last treatment or discharge. If paperwork is to be discarded, it must be properly shredded. If you keep paper records, they must be stored in locked cabinets.
Databases of electronic records must be password protected and only accessible to specific parties who need the data to assist the patient. All data in these systems must also be encrypted, so the information would be unreadable even if a hacker were to gain access. Also, antivirus protection must be in full force with weekly scans and regular updates whenever a new version becomes available.
Hackers will try many methods to gain access to medical systems, including phishing emails that are sent to various employees within a medical office with links or attachments that, when opened, create a doorway into your system where hackers can withdraw patient information. While many industries are beginning to catch on to the risk of phishing emails, many health professionals make the job even easier for hackers by taking laptops and tablets out of the office and then losing track of them, so the hackers can just grab and go. According to reports, over 100,000 patients have had their medical data stolen in this fashion.
A new threat and a possible solution
The allure of medical data to individuals with malicious intent cannot be understated, so hackers are always looking at new ways to get what they need. Cyber thieves are aware that medical establishments are not taking cybersecurity as seriously as they should. Because of this, they are more brazenly infecting seemingly innocent software that a staff member may install on their computer without having it inspected by the IT department. It is a tactic known as shadow IT.
The process begins innocently enough with an employee choosing to use a SaaS (Software as a Service) such as Google Docs or DocuSign to make their jobs easier at work. However, they do not realize that the software may use a virus or malware that could create a doorway into your network. That is why it is so vital that IT departments have blocks in place so that only authorized websites and products can be used. This tactic can also work when a medical associate brings in their own device and connects it to the work computer. IT should block this access as well unless the equipment has been thoroughly inspected.
While the tips listed above are a good start for proper healthcare security, it is still subject to employee error. The good news is that there is a promising solution on the horizon in the form of blockchain technology. Slowly growing in popularity, a blockchain contains numerous segments that hold patient information. The difference here is that the records cannot be modified without the patient’s acknowledgment, and the data can never be deleted from the chain. This is an ideal way to have transparency between patients and their doctors, along with security that they control.
With so much data coming into hospitals and doctor’s offices every hour, effective cybersecurity must not be an afterthought but a guarantee. Regain the privacy of patient records and keep their trust for life.
Part 2 of this blog will dive deeper into blockchain technology in healthcare.