Getty Images/iStockphoto
Best Practices for Providers to Secure Patient Data
Increased vigilance, security best practices, and the right technology can help healthcare organizations secure patient data and stay one step ahead of cybercriminals.
The number and frequency of cyberthreats to patient data show no sign of slowing down, with hackers devoting more time and resources to stealing patient data.
As a result, healthcare organizations are becoming increasingly worried about attackers breaching their networks to steal patient data. Often, organizations are just one step behind bad actors.
However, increased vigilance and the right technology can keep cybercriminals at bay and patient data secure.
1) Understand the variety and likelihood of threats to health data security and privacy.
The Verizon Data Breach Investigations Report (DBIR) and research from the Ponemon Institute are prime sources for insight into the current threat landscape.
Verizon found that 536 out of 750 healthcare cyber incidents involved data breaches, and medical data was the target of two-thirds of these breaches. The Verizon DBIR also revealed that the healthcare industry is the worst when it comes to stopping insider data breaches.
A Ponemon study found that healthcare data breaches cost healthcare organizations an average of $408 per record in 2018, the highest of any industry and nearly three times higher than the cross-industry average of $148 per record. Medical records are attractive to cybercriminals and costly for organizations to lose.
2) Identify and address vulnerabilities in existing systems, processes and equipment.
Healthcare organizations need to proactively replace legacy technologies that are unable to meet current standards, particularly if they endanger patient data.
Updating systems, processes and equipment allows providers to shift their focus to deploying advanced security technologies. These include such innovations as micro-segmentation, software-defined perimeter tools, security operations and analytics platform architecture, and Artificial Intelligence (AI).
3) Maintain a secure infrastructure to protect patient data and avoid unauthorized access.
Developing strong healthcare infrastructure security protocols requires a comprehensive understanding of IT network security, physical infrastructure, data storage options and other key areas.
With technology solutions evolving every day, healthcare organizations must continually assess whether they are implementing the right infrastructure options to support daily operations. Strong healthcare infrastructure security will rely heavily on physical, administrative and technical safeguards that ensure HIPAA compliance.
4) Protect Patient Health Information (PHI) in the data center and on devices with HIPAA-compliant solutions.
Encryption, multifactor authentication and data integrity tools are examples of technologies that minimize risk and control access to sensitive information.
Patching is also important for both software and firmware on all types of devices. Installing vendor-recommended patches should be a routine process. Tools are readily available for identifying and mitigating risks associated with unpatched systems.
5) Implement endpoint protection and breach detection.
Healthcare endpoint attacks cost organizations more than $1 billion each year according to a survey by the Ponemon Institute. Only one-third of IT and security leaders polled said they have sufficient resources to effectively manage endpoint risks.
Antivirus software alone is inadequate to prevent endpoint attacks. Organizations should implement advanced threat protection solutions that include phishing attack mitigation and Endpoint Detection and Response (EDR) features.
Phishing attacks, which can compromise endpoints and lead to data theft, take advantage of users by disguising malware as a trusted and recognized source, meaning employee education and awareness are also necessary to protect patient data.
However, preventing phishing attacks requires a combination of employee education and technology. Education efforts should be supplemented by Domain-Based Message Authentication, Reporting and Conformance (DMARC) email validation systems.
DMARC identifies forged sender addresses that appear to be from legitimate organizations by providing the exact domain name in the “From:” field of email message headers. It enables organizations to stop scammers from using an email domain to attempt infiltration.
To combat phishing, organizations need to train employees on how to spot and avoid phishing emails. They also need to adopt security best practices and deploy appropriate technology to lessen the chances that a phishing attack or any other cyberattack will succeed.