Surviving The Data Breach Epidemic

4 Tips For Securing Healthcare Data

By Ben Herzberg, Chief Scientist and VP of Marketing, Satori
Twitter: @SatoriCyber

Under the HITECH Act, the U.S. Department of Health and Human Services has to post and investigate all data breaches of health records affecting 500 people or more. In the last 24 months, there have been 885 breaches.

As a healthcare provider, these statistics should spur you to think of ways to survive this data breach epidemic. Not only will you be doing right by your patients, but you will also protect yourself from legal liability. Right now, penalties for data breaches of health information can go up to $10 million.

Here are four tips on securing your healthcare data in order to prevent data breaches.

1. Automating data security

Attempting to safeguard data manually across various platforms, including databases, data warehouses, and data lakes, is a futile task that is prone to errors and vulnerabilities.

As a healthcare provider, it’s essential you have automated data security measures in place. That includes sensitive data discovery and automated data access. Automating these processes ensures that the system can continuously monitor and manage the security of data and take quick action to prevent any unauthorized access.

Sensitive data discovery tools help you identify and classify sensitive information within an organization, making it easier to protect and control access to the data.

Automated data access tools, on the other hand, enable you to grant temporary access to data — with a just-in-time approach and based on specific roles and permissions. That way you’re reducing the risk of unauthorized access to your data.

With automated data security measures, you can mitigate the risk of data breaches and ensure that sensitive information is protected and stays within your organization.

2. Vetting third parties’ security

According to Imprivata’s The State of Cybersecurity and Third-Party Remote Access Risk, 55% of healthcare organizations experienced a third-party data breach in the last 12 months. One cause of these breaches is weak vendor audits. 60% of healthcare organizations rely only on business reputation to decide if they will contract a third-party vendor.

It is no wonder that this is leaving many healthcare organizations badly exposed. In 2022, the biggest healthcare data breaches were a result of third-party vendor breaches. They seem to be the weakest link in recent healthcare data breaches.

As a healthcare provider, before contracting a third-party vendor, do a security assessment of their system. Here are important questions you should ask during the assessment:

  • What security measures do they have in place?
  • Do they perform vulnerability tests on their system?
  • Who is the chief officer in making IT decisions?
  • Do they outsource any IT services to fourth parties, and what risks could your system face as a result?

Based on the information you gather, you will be better placed to decide whether to engage a vendor or not. While at it, it is also important that you assess if they are following all the security measures of HIPAA, HITECH, or other health informatics laws and industry standards.

3. Implementing physical safeguards and having a clear privacy policy

Good fences make good neighbors. When trying to survive a data breach epidemic, good fences (physical safeguards) will come in handy in securing your healthcare data. The Department of Health & Human Services (HHS) defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information system and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Secure both – inside and outside of your facility. Invest in parameter walls, gates, security officers, electronic access control systems, door locks, and video monitoring systems, among others. Medical devices and equipment are lucrative targets for thieves as they fetch a high resale value.

Another way to safeguard your healthcare facility is to have a policy and procedure in place to identify individuals accessing your facility. This is your staff, interns, third-party vendors, and contractors. As a healthcare provider, you handle tons of personally identifiable information, such as your patient’s name, address, phone number, email address, medical condition(s), diagnosis, photographic and video images, and credit card information. Information of this nature is sensitive and needs a robust privacy policy in place.

Your privacy policy should stipulate how to collect, manage, transmit, and store data. It should also specify how employees, interns, volunteers, third-party consultants, service providers, and other contracted faculties, access this data for performing their duties. Have an access control system, for example, where a physician should have access to the health records system, but not necessarily the claims management system.

Furthermore, your privacy policy should clearly state how to establish, exercise, or defend your legal rights in case of a criminal investigation.

4. Developing a data breach response plan

What will you do in case of a data breach? This is the eventuality you need to prepare for despite securing your system. It is pragmatic and will empower your organization to move fast if a data breach were to occur.

To do this, you need to create a data response plan. It should have five key steps which are:

  1. Identifying the breach: If any staff suspects a data breach, they should notify the Chief Privacy Officer immediately.
  2. Contain the breach: The Chief Privacy Officer should make an initial assessment within the first hour of being aware of the data breach and determine its seriousness.
  3. Assess the risks: Identify affected individuals and the potential risk of harm to them.
  4. Call the data breach response team to handle the breach.
  5. Review the data breach incident and make plans to prevent future breaches.

Having a data breach response plan will set in motion a logical line of protocol on how to handle a breach and ensure you present a united front.

Conclusion

Unfortunately, the data breach epidemic in the healthcare sector is not going away any time soon. Healthcare still remains a lucrative target spot for data hackers on a hunt for sensitive patients and organizational information.

The recent numbers show the rise of healthcare data breaches, therefore it is necessary to take all the measures to secure your health system. As they say, the best defense is a good offense. So, take it upon yourself to be proactive and use the above tips to secure your healthcare data.