Data security is now one of the top aspects of healthcare technology. It can make or break patient satisfaction and institutional reputation. Healthcare providers have a professional obligation not only to care for their patients’ health but also to protect their patients’ data.
Cybercrime is on the rise against the sector because healthcare providers are often seen as easy targets with valuable information and insufficient security to protect it.
While several endpoint security tools can reduce data risk through detection and response methods, the most effective measures should be taken on the front line where staff members handle devices and sensitive information. Implementing a few simple best practices can significantly reduce risk.
Valuable and vulnerable data in an increasingly risky landscape
A recent report found that healthcare organizations experienced twice the number of attacks compared to other vertical market categories. Fortinet also noted that healthcare providers are primary targets because they are rich with data and typically lack sufficient cybersecurity, and because medical identity fraud typically takes longer to detect.
Healthcare records can fetch up to $7 per full record on the dark web versus pennies for credit cards. These records often offer a treasure trove of data, including birth dates and Social Security numbers. With this information, criminals can open new accounts and perpetrate financial fraud. In addition, sickly and terminally ill patients rarely pull their credit reports, which gives perpetrators more time to commit fraud before anyone notices.
Ransomware, in particular, is a growing threat. According to Cryptonite’s 2017 Healthcare Cyber Research Report, ransomware attacks against healthcare institutions grew by nearly 90% from 2016 to 2017. In these attacks, hackers encrypt the victim’s files and hold them for ransom. But because healthcare providers work in life-and-death matters and can’t afford to delay access, they most willingly pay the ransom. For example, last year, a ransomware attack at a 602-bed hospital took down 6,000 computers for more than six weeks. During that time, staff had to conduct patient registration manually, write prescriptions by hand and deliver labor results by messenger service. It ultimately cost the facility $10 million in losses and recovery IT resources.
As cyberattacks become more complex and sophisticated, it’s not easy to institute a foolproof impenetrable security plan. Robust security suites, password protection, encryption and backup can help reduce the risk, but they do little good if criminals can exploit vulnerabilities on the human end of the system.
Here are a few best practices that can help strengthen your data security and protect patient information:
Establish strong security policies and educate staff
As end users are typically the weakest link, they also have the potential to make the biggest difference in cybersecurity. Providers must establish strong computing and security policies that include guidelines for internet usage and procedures for downloading and opening files, and emphasize physical safety for devices.
Healthcare providers should also train and test staff on how to identify social engineering and phishing scams, as many are so cleverly designed they’re difficult to catch. The Media Pro 2017 State of Privacy and Security Awareness Report found that at least 24% of physicians couldn’t distinguish phishing emails from legitimate ones. Overall, nearly 80% of healthcare employees showed at least some lack of preparedness in regard to privacy and security threats.
Set automatic updates and don’t leave computers unprotected
Ensuring that all devices and browsers are set for automatic updates can go a long way in reducing the risk. Many breaches now happen because systems don’t have the latest patches installed. An alarming number of business machines run outdated software and lack even basic virus protection. A report by Bitsight found that 15% of computers in the healthcare sector were running outdated versions of Windows or MacOS operating systems. In addition, 16% were also running outdated internet browsers.
Don’t leave sensitive data lying around
While it’s bad practice to leave PHI or sensitive data lying around for prying eyes, it’s a common practice in many offices. In the age when nearly everyone has a smartphone and can quickly snap images, then store and send information to anyone else, a stack of files sitting on a desk can present a big risk.
In many cases, the biggest threats may not come from the public but from unscrupulous co-workers. In one incident in a New York City ER, a clerk was recently discovered to have captured PHI information from nearly 100 patients and sold it to an outsider for fraudulent purposes.
Lock devices when not in use
An unlocked device is no different than an unlocked safe door. Without basic password protection or a screen lock, anyone can use it and gain access to sensitive files. Many employees may believe they’re in a secure environment, and many have sloppy security practices in their own lives. A report by Pew Research Center found that 28% of smartphone owners have no lock on their phone. Nearly 40% of adults say they use the same or very similar passwords across sites, and 41% of adults have shared their passwords with someone.
RELATED: Theft and disclosures account for most healthcare data breaches. But hackers took 3 times as many records
Healthcare providers can increase their security and reduce the risk of peering eyes from both their staff and outsiders, by ensuring that all phones, laptops, desktops, tablets and screen-based IoT devices are locked when not in use. Desktops, smartphones and nontethered devices should also be placed in locked drawers or lockers after hours.
Data in the secure environment
Providers should also ensure they select the best software providers that have rigid security procedures. This includes secure code development, ongoing reviews of application security, and continuous monitoring of risk to applications based on new threats. Your solutions providers should also secure data at rest and in motion, according to HIPAA regulations. Top providers also offer secure hosting with firewalls, intrusion detection systems, proactive vulnerability scanning and endpoint security.
While there’s always a chance of attack, effective security solutions combined with best practices on the front lines can go a long way.