Healthcare Security

Following recent healthcare data breach, data security is back in the national spotlight. Healthcare data breaches not only create financial vulnerabilities for companies and consumers, but they can also pose serious medical threats due to tampered medical histories of affected patients.

While healthcare data breaches have not received as much media attention as the hacks against the national retailers, healthcare breaches could potentially have much greater personal affect than hacks perpetrated in other industries.

What Makes Healthcare Data so Vulnerable?

Although data breaches in any industry pose great threats, healthcare data breaches have the potential to inflict greater financial and personal consequences on clients and companies. Here are some of the main concerns when it comes to healthcare breaches.

1. Health companies face unique challenges in transferring health records securely.

Many healthcare companies are still inexperienced in upholding and maintaining the secure transfers of their Electronic Health Records (EHRs), and subsequently their records may be more vulnerable. While these healthcare companies may have the necessary technology to create secure records, others are still inexperienced in the necessary security practices to withstand trained hackers.

2. Healthcare companies need to refocus their infrastructure to protect against breaches.

Many healthcare companies are still learning how to protect and prevent against data breaches. Unlike credit card companies and banks that have established measures of quickly recognizing fraudulent activity and putting a stop to it, healthcare companies can take months to notice errors—if they notice them at all.

“Cybercriminals tend to think of healthcare organizations as soft targets. Historically, they haven’t invested much in IT, and security specifically.  Knowing that healthcare companies are seen as easier targets should give these companies the necessary motivation to improve their security practices.

3. The consequences of healthcare breaches are much more severe.

While the consequences of identity theft can be expensive and frightening, the impact of healthcare data breaches are often more expensive and may even have the potential to be lethal. In addition to the financial threat, many hackers of healthcare records are tampering with these medical records in order to make a higher profit (mostly through the reselling of prescription drugs). While the consequences of hacks related to accessing and selling drugs seem obvious, there is also potential for these hacks to lead to life-threatening changes on medical records (including past surgeries, allergies, and drug interactions) posing a great threat to your medical care in an emergency.

What Can Healthcare Providers Do?

Healthcare companies have sometimes neglected to deploy even the most basic enterprise security measures. Without proper security checkpoints, these companies make themselves more vulnerable to hacks and potentially put their clients’ most important data (social security numbers, medical records, credit card information) at great risk. However, in order to avoid these attacks in the future, healthcare organizations must take this opportunity to begin prioritizing better security practices and improve the face of healthcare security from here on out.

The Human Factor and Healthcare Privacy and Security

An organization can have all the necessary healthcare privacy and security measures in place, but without comprehensive employee training, the facility could still fall victim to a data breach or violate HIPAA regulations.  That is just one of several issues the healthcare industry is facing in 2015.  The human factor is critical for any healthcare organization, and a lack of knowledge about HIPAA could be harmful.

Accessing healthcare information is also a critical aspect of securing that data because organizations must ensure that the users who are accessing the information are authorized to do so.  Covered entities have to define what information needs to be accessed by what users. They also want to define what processes need to be in place to ensure that the appropriate level of access is granted to the users.

Essentially, healthcare organizations need to take a look at what information they actually have, how that information is stored, and for what purposes it needs to be used for. Once those three elements are in place, facilities can then define what their provisioning processes should be based upon users’ need and the duty they need to perform.

You have to keep in mind that all the users that have access to that data have a role or responsibility, and are using that information for a specific purpose.  So it’s up to those users to make sure that they follow the necessary processes, procedures and policies in place for the disclosure of that information.

Additionally, that access has to be in accordance with all regulatory requirements, such as the HIPAA Privacy Rule and Security Rule. Finding that balance is a challenge that healthcare organizations of all sizes are working to overcome.

It’s a lot easier for practices, covered entities, and hospitals to grant access to all employees and feel like they will only use the information that they’re supposed to,” he said. “However, that’s not always the case.

This is where comprehensive training and education will come into play. Employees need to be aware of what the Privacy and Security Rules are about and then what their obligations as staff members are. From there, covered entities need to teach employees how to tie those obligations back to existing practices within their particular organization.

Another key tool to strengthening the human factor in healthcare privacy and security is conducting regular audits and reviews of what employees are actually able to access. For example, an individual who works in the billing office doesn’t necessarily need to have access to clinical information, such as a patient’s medical record. Comparatively, a nurse will need access to clinical information, but will likely not need to see a patient’s demographic information or their financial data.

You have to understand what information you have in your system and how grantable your system can be in order to determine what level of access is appropriate for your employees, recalling the “minimum necessary” required in HIPAA. “Granting all access to everybody would not be in compliance, and would not be standard with the security requirements.”