Even outside of telehealth, patients and care providers store sensitive information on laptops and other devices.
While this increased digital remote care model led to new innovations and convenience in healthcare, it also provided plenty of opportunity for hackers. When it comes to healthcare data security, maintaining HIPAA compliance, and keeping up with an increasingly digital world, healthcare providers have a lot of challenges on their hands. In this document, we’ll go over the most important healthcare data security topics, including healthcare’s current approach to data breaches, the most common healthcare data security challenges, and what healthcare providers can do to overcome those challenges.
Data Breaches in Healthcare Security
Data breaches are a significant risk in healthcare security, and that’s not for lack of effort on the part of healthcare providers. All protected health information (PHI) is at risk, including personally identifiable information (PII) that patients provide to their healthcare providers.
Current Practices in Healthcare Data Security
Currently, healthcare providers and their IT teams have several practices in place for maintaining data security. For example, healthcare services use tools like passwords and data encryption for patients who want to access their health information via phone or laptop.
According to Andrew Steger of HealthTech magazine, healthcare officials have turned much of their focus and their investment dollars to security concerns. Still, Steger points out , “threat actors seeking to exploit overstrained facilities…are on the rise.” Those threat actors move quickly, and current security measures can’t keep up, especially now that the COVID-19 pandemic has stretched the American healthcare system to its limits.
Healthcare Data Security Laws
In addition to following their own protocol for data security, healthcare organizations must follow specific patient data protection laws.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s Privacy Rule is a set of standards designed to protect patients and their PHI. These standards include ground rules for health information disclosure, and other sensitive patient information. Through the Privacy Rule, HIPAA gives patients control over how their healthcare data is used. Healthcare entities that violate the Privacy Rule face fines.
Like the Privacy Rule, the HIPAA Security Rule protects patient data. However, the Security Rule only applies to electronic protected health information (ePHI). To remain within healthcare data compliance standards, organizations must adhere to specific administrative, technical, and physical standards.
The Health Information Technology for Economic and Clinical Health (HITECH) Act
The HITECH Act was implemented to expand the HIPAA Privacy and Security Rules in response to stakeholder concerns. The HITECH Act added new limitations for PHI information usage. For example, the Act limited the amount of PHI that organizations could use for advertising and fundraising. It also expanded the list of people and entities who could be held accountable for violations, and it added a requirement for organizations to alert individuals in case of a data breach.
The General Data Protection Regulation (GDPR)
The GDPR is a piece of EU legislation. However, its impact is not limited to EU citizens and organizations. It imposes data collection and processing standards for all organizations that handle any EU citizen’s data, and because it applies to the organization-wide level, it leaves room for very few exceptions and has a global reach.
In addition to its general standards, the GDPR has specific regulations for healthcare data, including restrictions on data usage, data controller liability, and rules for data breach reporting.
The California Consumer Protection Act (CCPA)
Though the CCPA applies specifically to California healthcare organizations, it may serve as a guide for other US state healthcare laws in the future. The CCPA impacts more than just healthcare organizations. It applies to any organization that does one or more of the following:
- Collect or process data from 50,000 or more California residents
- Earn more than $25 million in gross annual revenue
- Earn 50% or more of their revenue from selling the data of California residents
The CCPA requires these entities to disclose their data practices, allow California residents to opt out of data collection, and allow those residents to request that organizations delete their data.
The Biggest Healthcare Data Security Challenges
Healthcare data security has a lot of room for improvement, but it faces many challenges. Below are just some of the top security challenges that healthcare organizations face.
Start Your 30-Day Free Trial
The Consequences of Healthcare Data Security Breaches
Healthcare data security breaches come with several consequences, especially when it comes to healthcare data security. Again, healthcare entities carry a lot of sensitive information, including financial information and identity markers. From a single breach, a hacker can gain several identity markers from a patient at the same time.
Unfortunately, the patients themselves bear the brunt of the resulting consequences. Many of these patients spend years dealing with consequences like extortion and identity theft. In an article for HealthTech, Andrew Steger quotes Tom Kellerman, CarbonBlack’s chief cybersecurity officer:
“I’m talking about…serious and heinous identity theft, like tax fraud and home equity loan fraud, which is growing dramatically in the US,” says Kellerman. “It’s quite lucrative, obviously, and important for cybercriminals to have all the various identifying information about someone that is held [in medical records].”
The aforementioned article also explains that healthcare data security breaches can cause more struggle for the impacted individual than similar security breaches. That’s because medical information, unlike banking information and similar data, cannot be changed, making it more difficult for individuals to stop extortion and identity theft once a breach has taken place.
It’s absolutely vital that healthcare entities protect their patients from these attacks by keeping their healthcare data security as tightly locked as possible. As healthcare workers already know, prevention is often better than treatment, and that’s especially true when it comes to data protection. With the right tools and know-how, preventing a data breach is far simpler than dealing with the aftermath.
Of course, while the individuals themselves deal with most of the consequences, healthcare entities can face some hefty ramifications when it comes to improper healthcare data security. For instance, entities may face legal consequences for their lack of proper data protection.
Three separate agencies regulate healthcare data protection laws.
- The US Department of Health and Human Services (HHS)
The HHS oversees all of the regulatory agencies related to health, including the CDC, FDA, OCR, and many others.
- Section 5 of the Federal Trade Commission (FTC)
Section 5 of the FTC regulates companies’ data practices to prevent unfair or deceptive use of consumer data.
- The Office for Civil Rights (OCR)
The OCR is the agency tasked with enforcing HIPAA Security and Privacy Rules. The OCR investigates HIPAA violations, resolves complaints, and conducts compliance reviews.
Healthcare entities that violate these agencies’ regulations can find themselves in legal trouble, especially if they don’t notify the right people within the legal time limits.
Healthcare data security breaches come with steep financial costs, often as the result of the aforementioned legal trouble. Healthcare organizations often have to reach settlements with the impacted individuals after data security breaches.
Between those settlements and the other costs of data breaches, healthcare entities can struggle with the financial ramifications for years. A 2019 study found that healthcare data breaches are 65% more costly than breaches in other industries, averaging $429 per record (a 5.15% increase from the previous year). Healthcare data breaches cost the most in the United States at an average of $15 million per breach, compared to the global average of $6.45 million.
To provide more comparison, the financial industry, which faces the second-highest level of breach costs in the US, faces less than half of the cost per record than the healthcare industry faces.
As outlined above, current data privacy laws state that healthcare organizations must warn patients when their healthcare data is breached. Apart from the initial warning, organizations whose data is breached must often commit to damage control.
For example, the HIPAA Breach Notification Rule states that when a healthcare data breach impacts more than 500 individuals, the organization in question must report that breach to the media. A breach of data means a breach of trust. Compromised healthcare organizations must often take a multi-dimensional approach to regaining that trust. In the case of major breaches, some healthcare entities may struggle to regain patient trust.
How to Prevent Healthcare Data Security Breaches
When it comes to medical data, it’s not a matter of whether or not a security breach attempt will happen. It’s a matter of how organizations handle those breach attempts when they do happen. Thankfully, medical entities do have security options that can help them respond more effectively to breach attempts.
First of all, healthcare data security requires strict internet security. All devices that employees use for work must have antivirus software, VPNs, and secure wireless connections. A strict “no public wifi for remote work” policy can help organizations protect patient data, provided that individual employees understand the importance of this policy and follow through.
Next, medical data protection requires strict endpoint security. This includes using Trusted Platform Modules (TPM) and data encryption. Healthcare entities should also have a way to lock, locate, and wipe compromised devices. We’ll cover device security in more detail in a moment. Entities should be able to execute these functions remotely so that they have immediate and effective protection against data compromise. Some people underestimate the importance of endpoint security, putting all of their focus on cloud security instead. Don’t make this mistake. Endpoint security is just as important as virtual security. As a matter of fact, almost half of healthcare data breaches happen due to laptop theft .
Health tech apps, software, and websites should be secure. Only use trusted, vetted channels for communicating with patients and processing their data to ensure top healthcare data security.
What You Need from Endpoint Healthcare Data Security
We briefly mentioned the needs of endpoint healthcare device security above. Let’s take a closer look at the most important factors.
Protect Devices with DriveStrike
In the medical field, portable devices need endpoint security to ensure patient data safety and overall healthcare data security. All of those security needs can become complicated, especially when an organization seeks out one healthcare data security measure at a time.
DriveStrike offers device encryption, remote locking, device tracking, and data wiping so that your organization can cover multiple security gaps at the same time.
We’re experienced and compliant healthcare data security veterans, including HIPAA, GDPR, and more. Our solutions can help you maintain compliance, protecting your organization and the individuals that use it.
While we provide simple solutions for your data security needs, we also offer consistent, quality support for you and your organization. When you deal with highly personal data on a daily basis, your security team must offer on-demand support. You need a security support team that takes your data needs seriously, and DriveStrike is that team.
Contact DriveStrike to Get Started
Each day brings new healthcare data security challenges, so your organization needs simple and wide-reaching solutions to combat those challenges. DriveStrike is here to help you protect your most critical data with premium quality endpoint security. Our personnel are always here and ready to answer your questions.