Healthcare data security needs more attention than ever needed before, especially in light of increasing mobile medical technology. Emerging new practices in professional and personal care require innovative and reliable tech to keep everyone’s personal data safe.

Telehealth appointments skyrocketed during the COVID-19 pandemic. Before the 2020, telehealth appointments made up 0.1% of primary care appointments; that number grew to 40% at the height of the crisis. Today, telehealth usage remains popular according to the Assistant Secretary for Planning and Evaluation.

While the “digital and remote” care model led to great innovations and convenience in healthcare, it also opened new opportunities for scammers and hackers—leading to mounting challenges. Let’s go over the most important healthcare data security topics, including healthcare’s current approach to data breaches, the most common healthcare data security challenges, and the necessary actions by healthcare providers.

telehealth


Data Breaches in Healthcare Security

Data breaches are a significant risk in healthcare security, and that’s not for lack of effort on the part of healthcare providers. All protected health information (PHI) is at risk, including personally identifiable information (PII) that patients provide to their healthcare providers.

Current Practices in Healthcare Data Security

Currently, healthcare providers and their IT teams have several practices in place for maintaining data security. For example, healthcare services use tools like passwords and data encryption for patients who want to access their health information via phone or laptop.

According to Andrew Steger of HealthTech magazine, healthcare officials have turned much of their focus and their investment dollars to security concerns. Still, Steger points out , “threat actors seeking to exploit overstrained facilities…are on the rise.” Those threat actors move quickly, and current security measures can’t keep up, especially now that the COVID-19 pandemic has stretched the American healthcare system to its limits.


Healthcare Data Security Laws

In addition to following their own protocol for data security, healthcare organizations must follow specific patient data protection laws.

HIPAA

HITECH

GDPR

CCPA

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA’s Privacy Rule is a set of standards designed to protect patients and their PHI. These standards include ground rules for health information disclosure, and other sensitive patient information. Through the Privacy Rule, HIPAA gives patients control over how their healthcare data is used. Healthcare entities that violate the Privacy Rule face fines.
Like the Privacy Rule, the HIPAA Security Rule protects patient data. However, the Security Rule only applies to electronic protected health information (ePHI). To remain within healthcare data compliance standards, organizations must adhere to specific administrative, technical, and physical standards.

The Health Information Technology for Economic and Clinical Health (HITECH) Act

The HITECH Act was implemented to expand the HIPAA Privacy and Security Rules in response to stakeholder concerns. The HITECH Act added new limitations for PHI information usage. For example, the Act limited the amount of PHI that organizations could use for advertising and fundraising. It also expanded the list of people and entities who could be held accountable for violations, and it added a requirement for organizations to alert individuals in case of a data breach.

The General Data Protection Regulation (GDPR)

The GDPR is a piece of EU legislation. However, its impact is not limited to EU citizens and organizations. It imposes data collection and processing standards for all organizations that handle any EU citizen’s data, and because it applies to the organization-wide level, it leaves room for very few exceptions and has a global reach.
In addition to its general standards, the GDPR has specific regulations for healthcare data, including restrictions on data usage, data controller liability, and rules for data breach reporting.

The California Consumer Protection Act (CCPA)

Though the CCPA applies specifically to California healthcare organizations, it may serve as a guide for other US state healthcare laws in the future. The CCPA impacts more than just healthcare organizations. It applies to any organization that does one or more of the following:

  • Collect or process data from 50,000 or more California residents
  • Earn more than $25 million in gross annual revenue
  • Earn 50% or more of their revenue from selling the data of California residents

The CCPA requires these entities to disclose their data practices, allow California residents to opt out of data collection, and allow those residents to request that organizations delete their data.

The Biggest Healthcare Data Security Challenges

Healthcare data security has a lot of room for improvement, but it faces many challenges.

Icon-IncreasedMobility

Increased Mobility and Working from Home

Thanks to increasingly sophisticated gadgets and connectivity, healthcare workers can do much of their work from home. While mobile technology can never replace face-to-face interaction with patients, “behind the scenes” work becomes increasingly mobile with each passing year. Bookkeeping, reporting, and customer service can all happen on the go. Unfortunately, this causes a lot of data security challenges and increases complexity. Cybersecurity threats and even laptop thefts are increasing in all sectors, and healthcare data is particularly profitable, which makes healthcare workers’ laptops and mobile devices coveted targets. A detailed work from home security policy is a must for healthcare organizations. Increased mobility also comes with increased cloud usage, another lead for data breach risks.

Icon-AtRiskData

At-Risk Data Types

Thanks to the sheer amount of information that it stores, healthcare entities make easy targets for savvy data hackers. By hacking into a single entity, a hacker can gain an individual’s Social Security number, payment information, and everything else they’ll need for identity theft and other cybercrimes. As a result, healthcare data security requires more coverage and care than a lot of other information sources.

Icon-InternalStaffErrors

Internal Staff Errors

Healthcare organizations employ a lot of people, and those people can make healthcare data security mistakes. Whether it’s a lack of understanding the organization’s healthcare data security protocols, failure to grasp the full scope of the organization’s security needs, or simple human carelessness, employees can often put patient data at risk without realizing it. Maybe they use weak passwords to remember them more easily, or maybe they leave a laptop unattended. In any case, healthcare entities must prioritize organization-wide cybersecurity awareness to prevent such errors.

Icon-Hacking

Hacking, Viruses, and Malware

Healthcare entities are susceptible to data breaches. If a healthcare network has multiple websites, for instance, hackers might create copycat sites that look identical to the real ones; these sites can be used to log sensitive data. Hackers may also take advantage of employee email addresses, using these addresses to employ phishing scams, malware, and other security dangers. Healthcare professionals receive more emails on average than most professionals receive. It’s not unusual for healthcare workers to receive emails from addresses that they don’t recognize. Thus, healthcare employees are more likely than others to open phishing emails.

Icon-COVID

COVID-19 and the Most Recent Healthcare Data Security Concerns

All security issues above existed in the healthcare industry long before the COVID-19 pandemic arrived. The pandemic has only made these concerns even more pressing as patients and providers adjusted their approach to healthcare. Andrew Steger explored some of these issues in the aforementioned HealthTech article. In the surge of “work from home” model, employees may have a higher risk of connecting to an unsecured public networks and putting themselves at risk of increased vulnerability to theft.
COVID-19 has also created a need for healthcare providers to collaborate with each other and with patients online. This increased cyber-collaboration can come with security-related vulnerabilities, especially when healthcare employees don’t have the right cybersecurity awareness training. The pandemic took the world by surprise, and because researchers are still learning about the virus, even healthcare providers have to learn and relearn best practices for conducting work during the pandemic. Few people, if any, could have foreseen the cybersecurity threats that would plague the healthcare industry as a result of this virus.

Start Your 30-Day Free Trial

The Consequences of Healthcare Data Security Breaches

Healthcare data security breaches come with several consequences, especially when it comes to healthcare data security. Again, healthcare entities carry a lot of sensitive information, including financial information and identity markers. From a single breach, a hacker can gain several identity markers from a patient at the same time.

Unfortunately, the patients bear the brunt of the consequences. Many of these patients spend years dealing with consequences like extortion and identity theft. In an article for HealthTech, Andrew Steger quotes Tom Kellerman, CarbonBlack’s chief cybersecurity officer:

“I’m talking about…serious and heinous identity theft, like tax fraud and home equity loan fraud, which is growing dramatically in the US,” says Kellerman. “It’s quite lucrative, obviously, and important for cybercriminals to have all the various identifying information about someone that is held [in medical records].”

The aforementioned article also explains that healthcare data security breaches can cause more struggle for the impacted individual than similar security breaches. That’s because medical information, unlike banking information and similar data, cannot be changed, making it more difficult for individuals to stop extortion and identity theft once a breach has taken place.

It’s absolutely vital that healthcare entities protect their patients from these attacks by keeping their healthcare data security as tightly locked as possible. As healthcare workers already know, prevention is often better than treatment, and that’s especially true when it comes to data protection. With the right tools and know-how, preventing a data breach is far simpler than dealing with the aftermath.

Legal Consequences

Of course, while the individuals themselves deal with most of the consequences, healthcare entities can face some hefty ramifications when it comes to improper healthcare data security. For instance, entities may face legal consequences for their lack of proper data protection.Three separate agencies regulate healthcare data protection laws.

  • The US Department of Health and Human Services (HHS)
    The HHS oversees all of the regulatory agencies related to health, including the CDC, FDA, OCR, and many others.
  • Section 5 of the Federal Trade Commission (FTC)
    Section 5 of the FTC regulates companies’ data practices to prevent unfair or deceptive use of consumer data.
  • The Office for Civil Rights (OCR)
    The OCR is the agency tasked with enforcing HIPAA Security and Privacy Rules. The OCR investigates HIPAA violations, resolves complaints, and conducts compliance reviews.

Healthcare entities that violate these agencies’ regulations can find themselves in legal trouble, especially if they don’t notify the right people within the legal time limits.


Financial Consequences

Healthcare data security breaches come with steep financial costs, often as the result of the aforementioned legal trouble. Healthcare organizations often have to reach settlements with the impacted individuals after data security breaches. Between those settlements and the other costs of data breaches, healthcare entities can struggle with the financial ramifications for years. A 2019 study found that healthcare data breaches are 65% more costly than breaches in other industries, averaging $429 per record (a 5.15% increase from the previous year). Healthcare data breaches cost the most in the United States at an average of $15 million per breach, compared to the global average of $6.45 million. To provide more comparison, the financial industry, which faces the second-highest level of breach costs in the US, faces less than half of the cost per record than the healthcare industry faces.


Damage Control

As outlined above, current data privacy laws state that healthcare organizations must warn patients when their healthcare data is breached. Apart from the initial warning, organizations whose data is breached must often commit to damage control. For example, the HIPAA Breach Notification Rule states that when a healthcare data breach impacts more than 500 individuals, the organization in question must report that breach to the media. A breach of data means a breach of trust. Compromised healthcare organizations must often take a multi-dimensional approach to regaining that trust. In the case of major breaches, some healthcare entities may struggle to regain patient trust.


How to Prevent Healthcare Data Security Breaches

When it comes to medical data, it’s not a matter of whether or not a security breach attempt will happen. It’s a matter of how organizations handle those breach attempts when they do happen. Thankfully, medical entities do have security options that can help them respond more effectively to breach attempts.

Internet Security

Endpoint Security

Product Security

Internet Security

First of all, healthcare data security requires strict internet security. All devices that employees use for work must have antivirus software, VPNs, and secure wireless connections. A strict “no public wifi for remote work” policy can help organizations protect patient data, provided that individual employees understand the importance of this policy and follow through.

Endpoint Security

Next, medical data protection requires strict endpoint security. This includes using Trusted Platform Modules (TPM) and data encryption. Healthcare entities should also have a way to lock, locate, and wipe compromised devices. We’ll cover device security in more detail in a moment. Entities should be able to execute these functions remotely so that they have immediate and effective protection against data compromise. Some people underestimate the importance of endpoint security, putting all of their focus on cloud security instead. Don’t make this mistake. Endpoint security is just as important as virtual security. As a matter of fact, almost half of healthcare data breaches happen due to laptop theft .

Product Security

Health tech apps, software, and websites should be secure. Only use trusted, vetted channels for communicating with patients and processing their data to ensure top healthcare data security.

What You Need from Endpoint Healthcare Data Security

Of course, one can’t have healthcare data security without the right healthcare data security tools. Let’s look specifically at endpoint data security, since this is the kind of security that often gets overlooked by healthcare entities.

DriveStrike-Remote-Lock

Remote Locking Capabilities

Remote locking can include several capabilities, including:

  • Forced logout
  • Forced reboot
  • Account disablement
  • Remote forced password reset
  • Remote firmware lock

All of these capabilities boil down to one goal: keeping unauthorized users from accessing sensitive data. Administrators can remotely lock a device or system in case of theft, loss, and other security concerns. Remote locking capabilities can help cover potential security weaknesses that arise with “bring your own device” (BYOD) policies.

DriveStrike-Remote-Wipe

Remote Wipe

Like remote locking, data wiping capabilities can also cover gaps in BYOD security. With data wiping, administrators can wipe or destroy healthcare data stored in compromised devices. Data wiping can apply to a single device, or it can be used on an organization-wide level. In any case, data wiping can keep hackers and thieves from taking advantage of patients’ personal data.

DriveStrike-Remote-Locate

Device Tracking

Device tracking is useful for any healthcare organization, but it’s especially important for healthcare organizations that manage a lot of devices across several locations. In the event of theft or loss, tracking-enabled devices can be located and recovered quickly. Furthermore, with periodic reporting, healthcare entities can receive regular updates on an enabled device’s location.

DriveStrike-Remote-Encryption

Disk Encryption

Unencrypted data dramatically increases the risk of a security breach, especially when it comes to medical data. Encryption protects data from several security concerns, including malware, network hacking, information gained from physical theft, and more. Healthcare entities must use encryption solutions as a bare minimum for patient data security.

Protect Devices with DriveStrike

DriveStrike makes a difference. In a healthcare organization, you don’t have time to wait for security solutions. Patients deserve data protection now, and hackers are getting more sophisticated every day.

DriveStrike offers device encryption, remote locking, device tracking, and data wiping so that your organization can cover multiple security gaps at the same time.We’re experienced and compliant healthcare data security veterans, including HIPAA, GDPR, and more. Our solutions can help you maintain compliance, protecting your organization and the individuals that use it. While we provide simple solutions for your data security needs, we also offer consistent, quality support for you and your organization. When you deal with highly personal data on a daily basis, your security team must offer on-demand support. You need a security support team that takes your data needs seriously, and DriveStrike is that team.


Start Your Free 30-Day Trial

Your organization needs simple and wide-reaching solutions to combat daily security challenges. DriveStrike helps you protect your most critical data with premium quality endpoint security.