Can Your Healthcare Data Security Keep Up with the Times?
The Biggest Healthcare Data Security Challenges
Healthcare data security has a lot of room for improvement, but it faces many challenges.
What You Need from Endpoint Healthcare Data Security
A close look at the most important factors.
Healthcare data security needs more attention than it has ever needed before, especially in light of increasing mobile medical technology.
Not only have medical devices increased in sophistication, but healthcare information has grown to the point where people may take charge of their health from laptops and mobile devices.
Even outside of telehealth, patients and care providers store sensitive information on laptops and other devices.
While this increased digital remote care model led to new innovations and convenience in healthcare, it also provided plenty of opportunity for hackers. When it comes to healthcare data security, maintaining HIPAA compliance, and keeping up with an increasingly digital world, healthcare providers have a lot of challenges on their hands. In this document, we’ll go over the most important healthcare data security topics, including healthcare’s current approach to data breaches, the most common healthcare data security challenges, and what healthcare providers can do to overcome those challenges.
Data Breaches in Healthcare Security
Data breaches are a significant risk in healthcare security, and that’s not for lack of effort on the part of healthcare providers. All protected health information (PHI) is at risk, including personally identifiable information (PII) that patients provide to their healthcare providers.
Current Practices in Healthcare Data Security
Currently, healthcare providers and their IT teams have several practices in place for maintaining data security. For example, healthcare services use tools like passwords and data encryption for patients who want to access their health information via phone or laptop.
According to Andrew Steger of HealthTech magazine, healthcare officials have turned much of their focus and their investment dollars to security concerns. Still, Steger points out , “threat actors seeking to exploit overstrained facilities…are on the rise.” Those threat actors move quickly, and current security measures can’t keep up, especially now that the COVID-19 pandemic has stretched the American healthcare system to its limits.
Healthcare Data Security Laws
In addition to following their own protocol for data security, healthcare organizations must follow specific patient data protection laws.
HIPAA
HITECH
GDPR
CCPA
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s Privacy Rule is a set of standards designed to protect patients and their PHI. These standards include ground rules for health information disclosure, and other sensitive patient information. Through the Privacy Rule, HIPAA gives patients control over how their healthcare data is used. Healthcare entities that violate the Privacy Rule face fines.
Like the Privacy Rule, the HIPAA Security Rule protects patient data. However, the Security Rule only applies to electronic protected health information (ePHI). To remain within healthcare data compliance standards, organizations must adhere to specific administrative, technical, and physical standards.
The Health Information Technology for Economic and Clinical Health (HITECH) Act
The HITECH Act was implemented to expand the HIPAA Privacy and Security Rules in response to stakeholder concerns. The HITECH Act added new limitations for PHI information usage. For example, the Act limited the amount of PHI that organizations could use for advertising and fundraising. It also expanded the list of people and entities who could be held accountable for violations, and it added a requirement for organizations to alert individuals in case of a data breach.
The General Data Protection Regulation (GDPR)
The GDPR is a piece of EU legislation. However, its impact is not limited to EU citizens and organizations. It imposes data collection and processing standards for all organizations that handle any EU citizen’s data, and because it applies to the organization-wide level, it leaves room for very few exceptions and has a global reach.
In addition to its general standards, the GDPR has specific regulations for healthcare data, including restrictions on data usage, data controller liability, and rules for data breach reporting.
The California Consumer Protection Act (CCPA)
Though the CCPA applies specifically to California healthcare organizations, it may serve as a guide for other US state healthcare laws in the future. The CCPA impacts more than just healthcare organizations. It applies to any organization that does one or more of the following:
- Collect or process data from 50,000 or more California residents
- Earn more than $25 million in gross annual revenue
- Earn 50% or more of their revenue from selling the data of California residents
The CCPA requires these entities to disclose their data practices, allow California residents to opt out of data collection, and allow those residents to request that organizations delete their data.
The Biggest Healthcare Data Security Challenges
Healthcare data security has a lot of room for improvement, but it faces many challenges. Below are just some of the top security challenges that healthcare organizations face.
Increased Mobility and Working from Home
Thanks to increasingly sophisticated gadgets and connectivity, healthcare workers can do much of their work from home. While mobile technology can never replace face-to-face interaction with patients, “behind the scenes” work becomes increasingly mobile with each passing year. Bookkeeping, reporting, and customer service can all happen on the go.
Overall, enhanced mobility has provided some exciting changes in healthcare. Unfortunately, however, it causes a lot of data security challenges and can increase complexity. For example, cybersecurity threats and even laptop thefts are increasing in all sectors, and healthcare data is particularly profitable. As a result, healthcare workers’ laptops and mobile devices are coveted targets. A detailed work from home security policy is a must for healthcare organizations.
Furthermore, increased mobility comes with increased cloud usage . On the one hand, cloud-accessible healthcare information means that patients can access their own records more easily, which empowers them to take a more active role in their own healthcare. On the other hand, the cloud comes with increased data breach risks.
At-Risk Data Types
Thanks to the sheer amount of information that it stores, healthcare entities make easy targets for savvy data hackers. By hacking into a single entity, a hacker can gain an individual’s Social Security number, payment information, and everything else they’ll need for identity theft and other cybercrimes. As a result, healthcare data security requires more coverage and care than a lot of other information sources.
Internal Staff Errors
Healthcare organizations employ a lot of people, and those people can make healthcare data security mistakes. Whether it’s a lack of understanding the organization’s healthcare data security protocols, failure to grasp the full scope of the organization’s security needs, or simple human carelessness, employees can often put patient data at risk without realizing it. Maybe they use weak passwords to remember them more easily, or maybe they leave a laptop unattended. In any case, healthcare entities must prioritize organization-wide cybersecurity awareness to prevent such errors.
Hacking, Viruses, and Malware
Once again, the large size of most healthcare entities can lead to security breaches. If a healthcare network has multiple websites, for instance, hackers might create copycat sites that look identical to the real ones. Then, they can use these sites to access sensitive data.
Hackers may also take advantage of employee email addresses, using these addresses to employ phishing scams, malware, and other security dangers. Healthcare professionals receive more emails on average than most professionals receive. It’s not unusual for healthcare workers to receive emails from addresses that they don’t recognize. Therefore, healthcare employees are more likely than others to open phishing emails.
COVID-19 and the Most Recent Healthcare Data Security Concerns
All of the above security issues were present in the healthcare industry long before the COVID-19 pandemic arrived. However, the pandemic has only made these concerns even more pressing as patients and providers adjusted their approach to healthcare.
Andrew Steger explored some of these issues in the aforementioned HealthTech article . For instance, COVID-19 has led to more people, including healthcare employees, working more hours at home. As a result, employees may have a higher risk of connecting to an unsecured network. Furthermore, as employees use their laptops and other mobile devices outside of the workplace, those devices face increased vulnerability to theft.
COVID-19 has also created a need for healthcare providers to collaborate with each other and with patients online. This increased cyber-collaboration can come with security-related vulnerabilities, especially when healthcare employees don’t have the right cybersecurity awareness training.
And why would they have the right training for this particular situation? The COVID-19 pandemic took the world by surprise, and because researchers are still learning about the virus, even healthcare providers have to learn and relearn best practices for conducting work during the pandemic. Few people, if any, could have foreseen the cybersecurity threats that would plague the healthcare industry as a result of this virus.
Start Your 30-Day Free Trial
The Consequences of Healthcare Data Security Breaches
Healthcare data security breaches come with several consequences, especially when it comes to healthcare data security. Again, healthcare entities carry a lot of sensitive information, including financial information and identity markers. From a single breach, a hacker can gain several identity markers from a patient at the same time.
Unfortunately, the patients themselves bear the brunt of the resulting consequences. Many of these patients spend years dealing with consequences like extortion and identity theft. In an article for HealthTech, Andrew Steger quotes Tom Kellerman, CarbonBlack’s chief cybersecurity officer:
“I’m talking about…serious and heinous identity theft, like tax fraud and home equity loan fraud, which is growing dramatically in the US,” says Kellerman. “It’s quite lucrative, obviously, and important for cybercriminals to have all the various identifying information about someone that is held [in medical records].”
The aforementioned article also explains that healthcare data security breaches can cause more struggle for the impacted individual than similar security breaches. That’s because medical information, unlike banking information and similar data, cannot be changed, making it more difficult for individuals to stop extortion and identity theft once a breach has taken place.
It’s absolutely vital that healthcare entities protect their patients from these attacks by keeping their healthcare data security as tightly locked as possible. As healthcare workers already know, prevention is often better than treatment, and that’s especially true when it comes to data protection. With the right tools and know-how, preventing a data breach is far simpler than dealing with the aftermath.
Legal Consequences
Of course, while the individuals themselves deal with most of the consequences, healthcare entities can face some hefty ramifications when it comes to improper healthcare data security. For instance, entities may face legal consequences for their lack of proper data protection.
Three separate agencies regulate healthcare data protection laws.
- The US Department of Health and Human Services (HHS)
The HHS oversees all of the regulatory agencies related to health, including the CDC, FDA, OCR, and many others. - Section 5 of the Federal Trade Commission (FTC)
Section 5 of the FTC regulates companies’ data practices to prevent unfair or deceptive use of consumer data. - The Office for Civil Rights (OCR)
The OCR is the agency tasked with enforcing HIPAA Security and Privacy Rules. The OCR investigates HIPAA violations, resolves complaints, and conducts compliance reviews.
Healthcare entities that violate these agencies’ regulations can find themselves in legal trouble, especially if they don’t notify the right people within the legal time limits.
Healthcare data security breaches come with steep financial costs, often as the result of the aforementioned legal trouble. Healthcare organizations often have to reach settlements with the impacted individuals after data security breaches.
Between those settlements and the other costs of data breaches, healthcare entities can struggle with the financial ramifications for years. A 2019 study found that healthcare data breaches are 65% more costly than breaches in other industries, averaging $429 per record (a 5.15% increase from the previous year). Healthcare data breaches cost the most in the United States at an average of $15 million per breach, compared to the global average of $6.45 million.
To provide more comparison, the financial industry, which faces the second-highest level of breach costs in the US, faces less than half of the cost per record than the healthcare industry faces.
Financial Consequences
Damage Control
As outlined above, current data privacy laws state that healthcare organizations must warn patients when their healthcare data is breached. Apart from the initial warning, organizations whose data is breached must often commit to damage control.
For example, the HIPAA Breach Notification Rule states that when a healthcare data breach impacts more than 500 individuals, the organization in question must report that breach to the media. A breach of data means a breach of trust. Compromised healthcare organizations must often take a multi-dimensional approach to regaining that trust. In the case of major breaches, some healthcare entities may struggle to regain patient trust.
How to Prevent Healthcare Data Security Breaches
When it comes to medical data, it’s not a matter of whether or not a security breach attempt will happen. It’s a matter of how organizations handle those breach attempts when they do happen. Thankfully, medical entities do have security options that can help them respond more effectively to breach attempts.
Internet Security
Endpoint Security
Product Security
Internet Security
First of all, healthcare data security requires strict internet security. All devices that employees use for work must have antivirus software, VPNs, and secure wireless connections. A strict “no public wifi for remote work” policy can help organizations protect patient data, provided that individual employees understand the importance of this policy and follow through.
Endpoint Security
Next, medical data protection requires strict endpoint security. This includes using Trusted Platform Modules (TPM) and data encryption. Healthcare entities should also have a way to lock, locate, and wipe compromised devices. We’ll cover device security in more detail in a moment. Entities should be able to execute these functions remotely so that they have immediate and effective protection against data compromise. Some people underestimate the importance of endpoint security, putting all of their focus on cloud security instead. Don’t make this mistake. Endpoint security is just as important as virtual security. As a matter of fact, almost half of healthcare data breaches happen due to laptop theft .
Product Security
Health tech apps, software, and websites should be secure. Only use trusted, vetted channels for communicating with patients and processing their data to ensure top healthcare data security.
How to Find the Right Healthcare Data Security Tools
Of course, one can’t have healthcare data security without the right healthcare data security tools. Let’s look specifically at endpoint data security, since this is the kind of security that often gets overlooked by healthcare entities. Furthermore, with more and more healthcare employees working from home thanks to the COVID-19 pandemic, device security has become even more important now than it has ever been in the past.
What You Need from Endpoint Healthcare Data Security
We briefly mentioned the needs of endpoint healthcare device security above. Let’s take a closer look at the most important factors.
Remote Locking Capabilities
Remote locking can include several capabilities, including:
- Forced logout
- Forced reboot
- Account disablement
- Remote forced password reset
- Remote firmware lock
All of these capabilities boil down to one goal: keeping unauthorized users from accessing sensitive data. Administrators can remotely lock a device or system in case of theft, loss, and other security concerns. Remote locking capabilities can help cover potential security weaknesses that arise with “bring your own device” (BYOD) policies.
Data Wiping
Like remote locking, data wiping capabilities can also cover gaps in BYOD security. With data wiping, administrators can wipe or destroy healthcare data stored in compromised devices. Data wiping can apply to a single device, or it can be used on an organization-wide level. In any case, data wiping can keep hackers and thieves from taking advantage of patients’ personal data.
Lost Device Location
Device tracking is useful for any healthcare organization, but it’s especially important for healthcare organizations that manage a lot of devices across several locations. In the event of theft or loss, tracking-enabled devices can be located and recovered quickly. Furthermore, with periodic reporting, healthcare entities can receive regular updates on an enabled device’s location.
Encryption
Unencrypted data dramatically increases the risk of a security breach, especially when it comes to medical data. Encryption protects data from several security concerns, including malware, network hacking, information gained from physical theft, and more. Healthcare entities must use encryption solutions as a bare minimum for patient data security.
Protect Devices with DriveStrike
In the medical field, portable devices need endpoint security to ensure patient data safety and overall healthcare data security. All of those security needs can become complicated, especially when an organization seeks out one healthcare data security measure at a time.
DriveStrike offers device encryption, remote locking, device tracking, and data wiping so that your organization can cover multiple security gaps at the same time.
We’re experienced and compliant healthcare data security veterans, including HIPAA, GDPR, and more. Our solutions can help you maintain compliance, protecting your organization and the individuals that use it.
While we provide simple solutions for your data security needs, we also offer consistent, quality support for you and your organization. When you deal with highly personal data on a daily basis, your security team must offer on-demand support. You need a security support team that takes your data needs seriously, and DriveStrike is that team.
Contact DriveStrike to Get Started
Each day brings new healthcare data security challenges, so your organization needs simple and wide-reaching solutions to combat those challenges. DriveStrike is here to help you protect your most critical data with premium quality endpoint security. Our personnel are always here and ready to answer your questions.