Healthcare data security needs more attention than ever needed before, especially in light of increasing mobile medical technology. Emerging new practices in professional and personal care require innovative and reliable tech to keep everyone’s personal data safe.
Telehealth appointments skyrocketed during the COVID-19 pandemic. Before the 2020, telehealth appointments made up 0.1% of primary care appointments; that number grew to 40% at the height of the crisis. Today, telehealth usage remains popular according to the Assistant Secretary for Planning and Evaluation.
While the “digital and remote” care model led to great innovations and convenience in healthcare, it also opened new opportunities for scammers and hackers—leading to mounting challenges. Let’s go over the most important healthcare data security topics, including healthcare’s current approach to data breaches, the most common healthcare data security challenges, and the necessary actions by healthcare providers.
Data Breaches in Healthcare Security
Data breaches are a significant risk in healthcare security, and that’s not for lack of effort on the part of healthcare providers. All protected health information (PHI) is at risk, including personally identifiable information (PII) that patients provide to their healthcare providers.
Current Practices in Healthcare Data Security
Currently, healthcare providers and their IT teams have several practices in place for maintaining data security. For example, healthcare services use tools like passwords and data encryption for patients who want to access their health information via phone or laptop.
According to Andrew Steger of HealthTech magazine, healthcare officials have turned much of their focus and their investment dollars to security concerns. Still, Steger points out , “threat actors seeking to exploit overstrained facilities…are on the rise.” Those threat actors move quickly, and current security measures can’t keep up, especially now that the COVID-19 pandemic has stretched the American healthcare system to its limits.
Healthcare Data Security Laws
In addition to following their own protocol for data security, healthcare organizations must follow specific patient data protection laws.
HIPAA
HITECH
GDPR
CCPA
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s Privacy Rule is a set of standards designed to protect patients and their PHI. These standards include ground rules for health information disclosure, and other sensitive patient information. Through the Privacy Rule, HIPAA gives patients control over how their healthcare data is used. Healthcare entities that violate the Privacy Rule face fines.
Like the Privacy Rule, the HIPAA Security Rule protects patient data. However, the Security Rule only applies to electronic protected health information (ePHI). To remain within healthcare data compliance standards, organizations must adhere to specific administrative, technical, and physical standards.
The Health Information Technology for Economic and Clinical Health (HITECH) Act
The HITECH Act was implemented to expand the HIPAA Privacy and Security Rules in response to stakeholder concerns. The HITECH Act added new limitations for PHI information usage. For example, the Act limited the amount of PHI that organizations could use for advertising and fundraising. It also expanded the list of people and entities who could be held accountable for violations, and it added a requirement for organizations to alert individuals in case of a data breach.
The General Data Protection Regulation (GDPR)
The GDPR is a piece of EU legislation. However, its impact is not limited to EU citizens and organizations. It imposes data collection and processing standards for all organizations that handle any EU citizen’s data, and because it applies to the organization-wide level, it leaves room for very few exceptions and has a global reach.
In addition to its general standards, the GDPR has specific regulations for healthcare data, including restrictions on data usage, data controller liability, and rules for data breach reporting.
The California Consumer Protection Act (CCPA)
Though the CCPA applies specifically to California healthcare organizations, it may serve as a guide for other US state healthcare laws in the future. The CCPA impacts more than just healthcare organizations. It applies to any organization that does one or more of the following:
- Collect or process data from 50,000 or more California residents
- Earn more than $25 million in gross annual revenue
- Earn 50% or more of their revenue from selling the data of California residents
The CCPA requires these entities to disclose their data practices, allow California residents to opt out of data collection, and allow those residents to request that organizations delete their data.
The Biggest Healthcare Data Security Challenges
Healthcare data security has a lot of room for improvement, but it faces many challenges.
Start Your 30-Day Free Trial
The Consequences of Healthcare Data Security Breaches
Healthcare data security breaches come with several consequences, especially when it comes to healthcare data security. Again, healthcare entities carry a lot of sensitive information, including financial information and identity markers. From a single breach, a hacker can gain several identity markers from a patient at the same time.
Unfortunately, the patients bear the brunt of the consequences. Many of these patients spend years dealing with consequences like extortion and identity theft. In an article for HealthTech, Andrew Steger quotes Tom Kellerman, CarbonBlack’s chief cybersecurity officer:
“I’m talking about…serious and heinous identity theft, like tax fraud and home equity loan fraud, which is growing dramatically in the US,” says Kellerman. “It’s quite lucrative, obviously, and important for cybercriminals to have all the various identifying information about someone that is held [in medical records].”
The aforementioned article also explains that healthcare data security breaches can cause more struggle for the impacted individual than similar security breaches. That’s because medical information, unlike banking information and similar data, cannot be changed, making it more difficult for individuals to stop extortion and identity theft once a breach has taken place.
It’s absolutely vital that healthcare entities protect their patients from these attacks by keeping their healthcare data security as tightly locked as possible. As healthcare workers already know, prevention is often better than treatment, and that’s especially true when it comes to data protection. With the right tools and know-how, preventing a data breach is far simpler than dealing with the aftermath.
Legal Consequences
Of course, while the individuals themselves deal with most of the consequences, healthcare entities can face some hefty ramifications when it comes to improper healthcare data security. For instance, entities may face legal consequences for their lack of proper data protection.Three separate agencies regulate healthcare data protection laws.
- The US Department of Health and Human Services (HHS)
The HHS oversees all of the regulatory agencies related to health, including the CDC, FDA, OCR, and many others. - Section 5 of the Federal Trade Commission (FTC)
Section 5 of the FTC regulates companies’ data practices to prevent unfair or deceptive use of consumer data. - The Office for Civil Rights (OCR)
The OCR is the agency tasked with enforcing HIPAA Security and Privacy Rules. The OCR investigates HIPAA violations, resolves complaints, and conducts compliance reviews.
Healthcare entities that violate these agencies’ regulations can find themselves in legal trouble, especially if they don’t notify the right people within the legal time limits.
Financial Consequences
Healthcare data security breaches come with steep financial costs, often as the result of the aforementioned legal trouble. Healthcare organizations often have to reach settlements with the impacted individuals after data security breaches. Between those settlements and the other costs of data breaches, healthcare entities can struggle with the financial ramifications for years. A 2019 study found that healthcare data breaches are 65% more costly than breaches in other industries, averaging $429 per record (a 5.15% increase from the previous year). Healthcare data breaches cost the most in the United States at an average of $15 million per breach, compared to the global average of $6.45 million. To provide more comparison, the financial industry, which faces the second-highest level of breach costs in the US, faces less than half of the cost per record than the healthcare industry faces.
Damage Control
As outlined above, current data privacy laws state that healthcare organizations must warn patients when their healthcare data is breached. Apart from the initial warning, organizations whose data is breached must often commit to damage control. For example, the HIPAA Breach Notification Rule states that when a healthcare data breach impacts more than 500 individuals, the organization in question must report that breach to the media. A breach of data means a breach of trust. Compromised healthcare organizations must often take a multi-dimensional approach to regaining that trust. In the case of major breaches, some healthcare entities may struggle to regain patient trust.
How to Prevent Healthcare Data Security Breaches
Internet Security
Endpoint Security
Product Security
Internet Security
First of all, healthcare data security requires strict internet security. All devices that employees use for work must have antivirus software, VPNs, and secure wireless connections. A strict “no public wifi for remote work” policy can help organizations protect patient data, provided that individual employees understand the importance of this policy and follow through.
Endpoint Security
Next, medical data protection requires strict endpoint security. This includes using Trusted Platform Modules (TPM) and data encryption. Healthcare entities should also have a way to lock, locate, and wipe compromised devices. We’ll cover device security in more detail in a moment. Entities should be able to execute these functions remotely so that they have immediate and effective protection against data compromise. Some people underestimate the importance of endpoint security, putting all of their focus on cloud security instead. Don’t make this mistake. Endpoint security is just as important as virtual security. As a matter of fact, almost half of healthcare data breaches happen due to laptop theft .
Product Security
Health tech apps, software, and websites should be secure. Only use trusted, vetted channels for communicating with patients and processing their data to ensure top healthcare data security.
What You Need from Endpoint Healthcare Data Security
Of course, one can’t have healthcare data security without the right healthcare data security tools. Let’s look specifically at endpoint data security, since this is the kind of security that often gets overlooked by healthcare entities.
Remote Locking Capabilities
Remote locking can include several capabilities, including:
- Forced logout
- Forced reboot
- Account disablement
- Remote forced password reset
- Remote firmware lock
All of these capabilities boil down to one goal: keeping unauthorized users from accessing sensitive data. Administrators can remotely lock a device or system in case of theft, loss, and other security concerns. Remote locking capabilities can help cover potential security weaknesses that arise with “bring your own device” (BYOD) policies.
Remote Wipe
Like remote locking, data wiping capabilities can also cover gaps in BYOD security. With data wiping, administrators can wipe or destroy healthcare data stored in compromised devices. Data wiping can apply to a single device, or it can be used on an organization-wide level. In any case, data wiping can keep hackers and thieves from taking advantage of patients’ personal data.
Device Tracking
Device tracking is useful for any healthcare organization, but it’s especially important for healthcare organizations that manage a lot of devices across several locations. In the event of theft or loss, tracking-enabled devices can be located and recovered quickly. Furthermore, with periodic reporting, healthcare entities can receive regular updates on an enabled device’s location.
Disk Encryption
Unencrypted data dramatically increases the risk of a security breach, especially when it comes to medical data. Encryption protects data from several security concerns, including malware, network hacking, information gained from physical theft, and more. Healthcare entities must use encryption solutions as a bare minimum for patient data security.
Protect Devices with DriveStrike
DriveStrike makes a difference. In a healthcare organization, you don’t have time to wait for security solutions. Patients deserve data protection now, and hackers are getting more sophisticated every day.
DriveStrike offers device encryption, remote locking, device tracking, and data wiping so that your organization can cover multiple security gaps at the same time.We’re experienced and compliant healthcare data security veterans, including HIPAA, GDPR, and more. Our solutions can help you maintain compliance, protecting your organization and the individuals that use it. While we provide simple solutions for your data security needs, we also offer consistent, quality support for you and your organization. When you deal with highly personal data on a daily basis, your security team must offer on-demand support. You need a security support team that takes your data needs seriously, and DriveStrike is that team.