Contents
hide
Three of the Biggest Healthcare Data Breaches of 2018
- North Carolina-based Catawba Valley Medical Center has notified 20,000 patients that their private data was breached following three successful phishing attacks.
- The documents of an estimated 75,000 people were obtained at a breach of Healthcare.gov for Affordable Care Act registration, as per the Centers for Medicare and Medicaid Services.
- Accounts of two employees of the Minnesota Department of Human Services were reportedly hacked and this attack breached the records of 21,000 patient that too for more than one month.
“According to the Protenus Breach Barometer, 4.4 million patient records were compromised in 117 health data breaches in the third quarter of 2018”.
Why Patient Data is at Risk -
World Privacy Forum says that a medical record which includes- name, address, social security number, and health ID is considered much costlier than the credit card data, in the online black market. Each medical record can be traded for $50 in comparison to $3 for each credit card record. So how can hospitals, and administrators make sure that their patient data is in safe hands? what specific steps can be taken? With the increase of technology use and with intelligent cyber hackers are in action? It seems very difficult to protect patient data, but 100% of data security can be achieved if healthcare organization follow the following Principles.Patient Data Security Principles
-
Hire the Professional-
Life is too short to learn from your mistakes; so, learn from others or rather learn from a specialist. Most of the healthcare professional know what things need to be donebut the actual challenge is how things need to be done. For example, everybody knows that HIPAA guidelines must be followed but how this will be done needs a professional. This is where HIM professional plays a critical role, they not only monitor what is being pulled from EHR, but they also guide and monitor how this information has to be exposed to other systems and other entities. HIM professionals' role is critical in implementing HIPAA & other necessary compliance guideline and they make sure that healthcare entities should not have to pay penalties for failing to follow these compliances. -
Security Check Assessment-
If you know the enemy and know yourself, you need not to fear the result of a hundred battles. The quote is apt for patient data protection as well. You know that hackers are your enemy but knowing your own ecosystem inside out is equally important. Doing a risk assessment check helps in making the healthcare system more robust and safer. Security risk assessment should not be a one-time activity, but it should be done every year at least. -
Defined Policies-
Every healthcare entity needs a well-defined policy that their employees must follow in each step. These policies should be customized for each healthcare entity, as every entity has some customized needs. Again, HIM professionals can play a critical role in defining the standards and forming the policies. -
Its Everyone's Responsibility -
Every employee of healthcare organization should be taught that securing patient data is the responsibility of the complete organization and not only of IT resources. Every employee should understand why security is important, how data breach attempts can be made and what they can do to follow the security policy and to protect data. -
Have a Defined Budget for Data Security-
If any organization is really serious about the security of patient data then they must have defined budget for maintaining and improving patient data security. This budget must consider all the security measures that an organization has to take care of; in addition, the budget should also include the cost of training and development of resources on how they can be ready to fight & nullify data breach attempts. Without a defined budget, chances are very high that an organization will start feeling satisfied with the steps that they have already taken for data security, irrelevant to that fact that whether these steps are enough or not. -
Protected System Access-
Apart from being password protected; the systems should also be enabled for session time out, send alerts in case of login from a new system or new location. The system should prompt users to change their password at regular intervals, password patterns should be programmed for a difficult password. Password recovery system should be fully secured. A better approach can be two-way authentication access. Password plus biometric authentication or password plus passcode sent to user's mobile, authorized by the user in advance. -
Data Encryption-
Encrypting patient data whenever possible is a clear guideline in HIPAA. However, encryption should be done in a way that data can not be read by a person who accesses the system in an unauthorized manner. So, it has to be encrypted and then there should be a private decryption key so that, even if someone gets the access of the system; he/she can not decrypt or read the data easily. -
Remote Access Security-
Providers needs to be extremely careful about providing remote access to practice IT network. If the provider is using cloud-based EHR then cloud service provider protects the remote server and provider do not need to worry about information being sent to over the network. However, in this case also all precaution should be taken; because even a small mistake can lead to big blunders in the security. For example, if the login credentials are stolen then patient data will obviously come under risk. Security concerns are higher in case of client-server infrastructure, as in this case user accesses the practice network remotely and provider itself must build the security measures. Here two kinds of security risks need to be taken care of. First, if the user's private computer has any malware; to remove such risks, a robust firewall with antivirus plays a critical role in securing the data. Secondly, the risk persists when information floats through the network and to handle these experts have advised using a virtual private network (VPN). -
Role-Based System Access-
Every player of the healthcare ecosystem has a different role to play and has different importance in the ecosystem. As a major security measure, role-based access of system is highly advisable. So, a person should only be able to access data which is relevant for his/her work. Obviously, as we move up in the hierarchy the reach of access will need to be increased as well. For example, a receptionist only needs patient information for scheduling the appointment. So, from receptionist login; the system should not allow any user to access clinical or financial data. -
Prohibit Local Storage (& BYOD) of PHI (Protected Health Information)-
Today in the age of smart devices, BYOD is on the rise. This is especially true for smaller practices. Though it has some advantages but in comparison to associated risk, advantages can easily be compromised. If end users (nurses, physicians, etc.) can store the PHI in their devices then the risk of data breach is much higher, in comparison to centrally stored PHI. On the other hand, BYOD allows the users to take screenshots, preventing which can be extremely difficult and this can be a big loophole in the data security program. -
Proper Use of Audit Logs -
Most of the EHR software has Audit log feature, this is to log which user did what. This is a very important feature if used properly. Most of the practices do not use it as recommended; either they do not check it regularly or they allow employees to do the edits in the audit log. Audit logs should be automatically checked by software to find any abnormality, like login of the user in an unusual time or from a new location or device. Or attempt to access a module which is not relevant to the user. If implemented properly then Audit log can be a strong tool to stop data breach. -
Strong Agreement with Associates-
Healthcare practices deals with many associates, they can be business associates, software consultant, HIM professionals or offshore software vendors. Practices must expose PHI with their associates from time to time; in such cases, it is very important to have a very strict agreement in place so that their business associates should also understand the importance of keeping PHI confidential and should do their best to protect it. Apart from the agreement, practices should also put efforts to educate their business associates, so that they can understand why it is important to protect PHI. -
Backing Up the Data-
Practices should be ready for the worst and worst can have many faces like - server crash and complete data loss; someone hacked the data and now the original entity can’t access the data or any other technical glitch. In the client-server model, practices should have a mirror server where data should be backed up daily and in the case of the cloud-based model, data should be backed up offline. The backed-up data should also be encrypted properly, and all arrangement of data security should be done for the backed-up data also.