7 Ways to Better Secure Electronic Health Records
Healthcare data is prime targets for hackers. What can healthcare organizations do to better protect all of that sensitive information?
July 24, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc2ea5a7f952ea117/64f0d691a28258d2a33325f9/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
January was not a particularly bad month for electronic health record (EHR) breaches. Still, in just those 31 days, nearly a half-million records were exposed to unauthorized viewers.
According to the HIPAA Journal, the top four breaches in January were all the result of hacking or an IT incident, exposing more than 387,000 records. While these numbers pale in comparison to the tens of millions of records involved in recent credit bureau and social media hacks, the sensitive nature of the records amplify the damage done.
What's more, the number of records lost to hacking or IT incident has steadily increased year over year since 2009 (though authors of the "January 2018 Healthcare Data Breach Report" note that at least some of that increase could be due to a lack of reporting in earlier years).
The reports points to several reasons why healthcare breaches continue to occur. First, they're valuable records that have currency with criminals and nation-state actors. Next, healthcare organizations come in a dazzling array of sizes, with an equivalent array of IT security skill levels at their service. Finally, almost every step along the records trail involves a human, and humans are infamously fallible. So what's a conscientious organization to do?
In this article, we look at seven ways to better secure this sensitive healthcare data. This is far from an exhaustive list, but each one is something that an organization can reasonably do to reduce its risk. Of note, many of these points can be applied to any organization with sensitive data to protect.
Have you found other steps worth taking to protect sensitive data? What have you tried and found effective? Let us know in the comments section, below.
(Image: pandpstock001)
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
No matter how static the practice, EHR exists in a constantly evolving environment. Whether it's changing operating systems, new equipment, new patients, or new suppliers, things change, and the risks associated with those things change, too.
Risk assessments performed at least annually should be part of any health practice security regimen. This might include a HIPAA audit, though that just focuses on privacy and is not a substitute for a full risk assessment. If a health organization is too small to afford its own team for risk assessment, it should hire outside consultants and make sure that the risk assessment includes both internal and external factors, based in process and technology.
Finally, the organization must not let the fragile egos of anyone on staff prevent it from honestly assessing the risks of the activities they are involved in. Risk comes bearing many different academic degrees.
Medical practices tend to be filled with professionals using their personal smartphones and tablets for work purposes. In some cases, practices can require professionals to use practice-issued devices for their work. In others, they are forced to allow the personal devices. In both cases, the organization should use a combination of process, rules, and technology to eliminate or carefully control sensitive patient information on these mobile devices.
In a perfect world, there would be no patient data on personal mobile devices. Virtual desktop machines can allow this, though there is often a significant back-end cost, in both licensing and infrastructure, to use this option. When that's not possible, then mobile device management (MDM) becomes the option of choice for data protection.
MDM has evolved rapidly in the last half-decade and now includes (in many cases) options for encrypting data, separating professional from personal information, and deleting professional information in the case of device loss or theft. No matter how small the practice, MDM is not an option if professionals are going to use mobile devices in their work. It must be considered part of the device price when budgeting for mobile access.
It's one of the huge paradoxes in security: So many devices and processes generate log files that security analysts can find themselves drowning in log data. And yet many professionals will lament the fact that so much valuable log data goes unused in the day-to-day management and protection of the network and application environment.
Raw log files can become enormous in very short order. And that size works against their usefulness in the raw form. That's why log file management and automated analysis systems can be so important. They can help take the flood of data and turn it into a useful stream.
Log management functionality is frequently built into systems or network management frameworks. Even though it's present, it tends to be complex to set up and administer, making this a primary function to be outsourced to a managed security service provider. Especially when the organization is smaller, with fewer (or no) experienced security analysts on staff, a managed cloud security solution can provide the critical initial analysis required to make use of all the log data available.
Just because a practice collects data means that all the data collected is necessary. And unnecessary data that hangs around an organization's storage, applications, and networks represents a massive invitation to privacy breach and data loss.
Not all unnecessary data comes from organizational overreach; some comes from lazy processes and poor data normalization. As an example, forms and screens often use patient name, date of birth, and Social Security number as identifiers in an effort to minimize confusion. It's a worthy goal for paper, but for electronic records, having that information in multiple databases means that each is a treasure-trove for criminals. Keeping that kind of sensitive data in one place and using an internally unique identifier to link databases is a much safer practice that minimizes the chance for harm.
Data should also be reviewed for deletion on a regular, programmatic basis. Some data should live for a long time; other data can be safely discarded after a short interval. Knowing which data falls into which category requires coordination between all the units of the organization, but that coordination will bear fruit when the internal databases become less-appealing targets to criminals.
There are other steps that can, and should, be taken to protect patient data, but these are reasonable early steps along the path to more security private information. Think like a criminal: Imagine the data you want, think of where your organization keeps it, and protect accordingly. Your patients, customers, and HIPAA compliance auditors will thank you.
Just because a practice collects data means that all the data collected is necessary. And unnecessary data that hangs around an organization's storage, applications, and networks represents a massive invitation to privacy breach and data loss.
Not all unnecessary data comes from organizational overreach; some comes from lazy processes and poor data normalization. As an example, forms and screens often use patient name, date of birth, and Social Security number as identifiers in an effort to minimize confusion. It's a worthy goal for paper, but for electronic records, having that information in multiple databases means that each is a treasure-trove for criminals. Keeping that kind of sensitive data in one place and using an internally unique identifier to link databases is a much safer practice that minimizes the chance for harm.
Data should also be reviewed for deletion on a regular, programmatic basis. Some data should live for a long time; other data can be safely discarded after a short interval. Knowing which data falls into which category requires coordination between all the units of the organization, but that coordination will bear fruit when the internal databases become less-appealing targets to criminals.
There are other steps that can, and should, be taken to protect patient data, but these are reasonable early steps along the path to more security private information. Think like a criminal: Imagine the data you want, think of where your organization keeps it, and protect accordingly. Your patients, customers, and HIPAA compliance auditors will thank you.
January was not a particularly bad month for electronic health record (EHR) breaches. Still, in just those 31 days, nearly a half-million records were exposed to unauthorized viewers.
According to the HIPAA Journal, the top four breaches in January were all the result of hacking or an IT incident, exposing more than 387,000 records. While these numbers pale in comparison to the tens of millions of records involved in recent credit bureau and social media hacks, the sensitive nature of the records amplify the damage done.
What's more, the number of records lost to hacking or IT incident has steadily increased year over year since 2009 (though authors of the "January 2018 Healthcare Data Breach Report" note that at least some of that increase could be due to a lack of reporting in earlier years).
The reports points to several reasons why healthcare breaches continue to occur. First, they're valuable records that have currency with criminals and nation-state actors. Next, healthcare organizations come in a dazzling array of sizes, with an equivalent array of IT security skill levels at their service. Finally, almost every step along the records trail involves a human, and humans are infamously fallible. So what's a conscientious organization to do?
In this article, we look at seven ways to better secure this sensitive healthcare data. This is far from an exhaustive list, but each one is something that an organization can reasonably do to reduce its risk. Of note, many of these points can be applied to any organization with sensitive data to protect.
Have you found other steps worth taking to protect sensitive data? What have you tried and found effective? Let us know in the comments section, below.
(Image: pandpstock001)
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024