There is an astronomical amount of healthcare data. By 2020, it's predicted that there will be more than 2314 exabytes of healthcare information stored across a variety of servers, on paper, even on microfiche. Up to 80% of this information is unstructured. This information includes patient care records, medical histories, DNA information, intellectual property, financial data, and identifying information.
Ideally, all of this information is kept safe. Unfortunately, that's not how things always play out. There were 477 healthcare information breaches reported to the US Department of Health and Human Services in 2017. This is in an industry where the acceptable amount of data loss or corruption should be precisely zero.
When healthcare data isn't properly protected, the damage done can be significant. As a result businesses in the healthcare industry must be vigilant in protecting data. The companies that do business with them must be as well. In order to keep healthcare data safe, companies should implement these 8 strategies.
1. Prioritize software updates
Dismissing a software update has become a near reflex action. The dialogue box pops up asking the user to apply updates now or wait until later. Of course, later is almost always the inevitable choice. When it comes to healthcare data, this approach simply cannot be allowed.
Operating system and software updates often contain security patches that fix vulnerabilities. In many cases, these vulnerabilities are discovered after hackers have exploited them. Without these patches not only is your data exposed, there are likely bad actors actively seeking systems that have these weaknesses.
2. Inventory and track IoT devices
Poor security in patient IoT devices could lead to data loss as well as endanger patients. Worse, unlike devices that are in your possession and under your control, IoT devices are different. These could be in the hands of patients, loaned out to other healthcare providers, in storage, etc.
If you use IoT devices, it's imperative that you know where they are at all times. Customer use agreements should also include language that states that customers must make these devices available for updates in the event that a vulnerability is discovered.
3. Manage mobile devices
Mobile devices are a useful tool for medical professionals. They can use them to collect data from patients, and access data from remote locations. Unfortunately, if security protocols aren't followed, and these devices aren't managed properly they can create a significant amount of risk.
There's no need to ban these devices entirely. However, there should be strict enforcement that includes real time tracking, and monitoring. This includes giving you the ability to wipe their device clean should it be lost or stolen.
4. Train employees about cybersecurity protocols
The problem isn't always hackers who are working hard to enter your systems through some backdoor vulnerability. In many cases, it's your users who fling the door wide open. They click links they shouldn't. They download software. They plug their own, unsecured devices into your computer systems. Sometimes, they unwittingly give information to people who have no business having it.
Technical solutions can help, but they don't solve this problem completely. Education and training is an absolute necessity. You have to create security protocols, train your employees in these, then test their knowledge.
5. Encrypt your data
Encryption is often the final layer of protection. When a device is lost, or somebody accesses data without authorization, encryption can make sensitive information unreadable. Just remember that data must be encrypted both at the moment of storage and when it's being transmitted.
6. Implement access control
Clive Williams, a database administrator at Trust my Paper says, "One of the best ways to protect sensitive data is to simply limit who can access that data. There's simply less risk, when access to information is given on a strictly need to know basis. When something does go wrong, these policies make it much easier to find the source of the security failure."
7. Use physical security measures
Physical security measures refer to the steps you take to prevent access to servers, computer rooms, storage devices, even paper files. These include locked doors, alarms, security badges, surveillance camera, offsite storage, even reinforced rooms. Not only can physical security measures protect your healthcare information, they can also help keep information safe in the event of a disaster.
8. Enforce secure passwords
It's understandable that users are often tempted to use simple, easily memorized passwords, or that they resist changing their passwords regularly. It also doesn't help when passwords must be so complex that they are tempted to write them down or take other risky measures. It can certainly be challenging to implement a password management system that truly keeps data safe, complies with HIPAA, and doesn't make the jobs of healthcare personnnel any more difficult than they already are.
Further, requiring complicated passwords often gives the illusion of increased security without actually providing that. In the future, these will likely be replaced with biometrics, single sign-on, and other solutions that will do a better job of securing information.
Related read: How to Develop a Professional Medical App for Doctors
Final thoughts: planning for failure
What if someone steals a security badge and gains access to our server room? What happens if someone cracks the system administrator's password? What do we do if someone uses social engineering to convince a staff member to click on a malicious link? The only way to truly keep healthcare data safe is to assume that any one security measure can be breached. By using a mix of the strategies above, you can create a multi-layered approach that can help keep sensitive data out of the wrong hands.
This is a guest post by Marie Fincher.