It’s no secret that the healthcare industry has quickly moved from paper to electronic health records, boosting productivity for healthcare professionals and accessibility for patients.
The ease of data accessibility holds immense potential for healthcare providers. However, as readers of this article likely know, with this ease of accessibility, the healthcare industry continues to report among the highest number of data breaches.
2016 marked an increase in these breaches, escalating hacking threats and rising financial settlements due to Health Insurance Portability and Accountability Act (HIPAA) violations. The most prominent sign of enhanced oversight was $23.5 million in payouts obtained by the Office for Civil Rights at the U.S. Department of Health and Human Services. That was triple the previous record of almost $8 million in 2014. Signaling the arrival of a long-promised crackdown on HIPAA failings, health institutions should be more concerned than ever about the security of their patient information.
From insider negligence (the leading cause of data breaches), to unencrypted medical devices, to the absence of BYOD policies or BYOD policy implementation, to inadequate security defenses, the risks are high, and the implications of data breaches within the healthcare industry go well beyond the obvious financial damage. It can also impact consumer trust in an institution and an organization’s reputation and overall stability.
What can hospital executives do to minimize these risks, comply with security-related regulations and protect their institution’s confidential data? Following are three best practices to consider implementing:
1. People – Authentication is Essential. In a hospital, there are many people that “touch” patient data, from doctors and nurses to technicians and administrative staff. Adding to that complexity, employees likely use different endpoint devices in their work, including desktops, laptops, tablets and removable media. As a result, setting who has access to what kinds of information and being able to track how and where that information is being used and shared is crucial. Implementing authentication – across users, devices and the network – can help support this and bolster efforts to ensure that sensitive information is not leaked.
And sometimes security technology that’s implemented inadvertently disrupts workflow for employees. With devices often shared, with new users being added and old ones being removed all the time in hospitals, it’s important that any security measures introduced take into consideration a “frictionless” user experience for the people who must follow them as well as those who administer them. If something is too hard to follow, appears cumbersome or interrupts a user’s typical workflow, it is less likely to be adopted.
2. Policy – Establishment and Reinforcement is Vital. Having the proper security policy in place with clearly outlined processes – and ensuring the policy and processes are adhered to – is key. It should consider best practices on adoption capabilities (easy to interpret, implement and follow), employee education and training procedures (not just during new employee orientation but on a regular basis and including explanation regarding why staff need to do things a certain way, rather than just a list of rules), and accountability measures.
As part of a strong policy, it’s important to include and enforce good password guidelines, including ensuring employees do not use passwords that are similar (or the same) as those they use for personal accounts. Imposing regular password changes can also make a big impact in the fight against data breaches.
In general, from a policy perspective, a good practice to follow is to continually reinforce the employee code of conduct.
3. Protection – Encryption is the Basis. There are a variety of ways to protect sensitive data, but encryption should be the foundation of any security and data leakage protection initiative. Hospitals should encrypt everything sensitive and confidential. This helps protect data not only from outside hackers but also from the risk within, whether intentional or by accident.
HIPAA requires that covered entities determine if encryption is a “reasonable and appropriate” security measure to implement in their environment. If the Office for Civil Rights has a different interpretation of “reasonable and appropriate” though, serious fines could follow. The best practice is to implement encryption to considerably decrease the risk of non-compliance. Although the Security Rule provides flexibility with implementing technical safeguards, there is no flexibility when it comes to the Breach Notification Rule. If stolen or lost data is not encrypted, covered entities must notify the Department of Health and Human Services, all affected individuals and even the state and local media in some cases. However, if lost or stolen data is encrypted and the covered entity has proof (audit logs) breach notification is not necessary.
With many of the hacked organizations being those in the healthcare industry, it’s essential to safeguard your institution from falling into that inauspicious bucket. By establishing, incorporating and following the aforementioned practices around people, policy and protection, you can lower your risk of data breaches, and, as a result, the financial and reputation risks that go along with those.
As Chief Operating Officer at WinMagic, Mark Hickman is responsible for direct and channel sales, marketing, professional services, and global business development. Prior to joining WinMagic, he held senior sales management positions with Computer Associates (CA), BEA Systems Inc., and RightNow Technologies.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.