Even in 2017, the healthcare industry lags behind on data security. Almost 90% of healthcare businesses had their data breached within the past two years. This resulted in an estimated $6.2 billion loss for the industry as a whole. Although data theft isn’t limited to the healthcare industry, the amount outpaces most other industries. So why is maintaining proper healthcare information security such a problem?
Changing your electronic health record (EHR) or electronic medical record (EMR) vendor probably isn’t the answer. Stephanie Tayengco, SVP of Operations at Logicworks, said in Becker’s Hospital Review that there are several complicated factors. Among other factors, she discusses how health IT involves several manual processes, that HIPAA requirements aren’t sufficient and that the value of patient data makes them targets for hackers.
Despite these factors, healthcare businesses need to better protect their data. This is for the safety of not only their clients, but their employees as well. Although it’s not an easy task, it’s a necessary one that will pay off long-term. To help, we came up with a list of strategies to better maintain healthcare information security:
Take Note of the Devices Your Data Passes Through
The Internet of Things means that our world is filled with more devices seemingly every day. In today’s workplace you’ll find a plethora of laptops, tablets, smartphones and more. With more employees accessing business software on their mobile devices, more personal devices are used to conduct business than ever. But more devices accessing your data also makes it more vulnerable. To reduce the chances of a data breach, have your IT staff assess the risk of every device that will access your data.
Even personal tablets/smartphones need to be assessed to ensure they’re secure. In fact, they’re more important as they tend to be more vulnerable than devices used exclusively for business. To be clear, this doesn’t mean digging through your employees’ private information. But you can and should look at the security capabilities of each device accessing your data. If you haven’t already done so, start ASAP. The longer you wait, the more you’ll have to catch-up, and the more vulnerable you leave yourself and your data.
Secure Your Wireless Networks and Messaging Systems
Similarly to more devices making you more vulnerable, more wireless connections does the same. If your practice offers free WiFi for patients and a messaging system, your data is more vulnerable. Now, we’re not saying get rid of either of these; they’re probably reasons why patients chose you in the first place. But their security is oftentimes overlooked, since they don’t store patient records. Alison Diana at InformationWeek recommends creating automated procedures to update devices and users. This helps make sure ex-employees don’t continue to have access and that new technology isn’t left unprotected.
Go Above and Beyond HIPAA
Many organizations believe that if they’re complying with HIPAA they’re doing enough. Unfortunately, this isn’t the case. As Tayengco says: “Many healthcare organizations mistakenly believe that HIPAA compliance is a checkbox, and once infrastructure is configured, it is ‘all set’ or somehow guarantees the security of their environment. However, even following both HIPAA and NIST guidelines is not enough; these recommendations can take years to catch up to new technology shifts.”
There are plenty of steps healthcare businesses should take beyond HIPAA to protect their data. For example, Tayengco recommends encryption. Encrypting your health records, medical records and other data is a (relatively) small step that is a big step towards protecting against a breach.
With the adoption of healthcare information technology still in its early stages, employees are still getting used to it. Policies and procedures need to change to accommodate the digitization of patient records. But just making new policies only goes so far without proper training.
Make sure to train your employees, both new and old, on new data security procedures. Robert C. Covington at Computerworld likens it to putting together a bike without instructions: “Unless you happen to be an engineer, attempting this will result in a string of expletives, and a disappointed kid.” To put this in perspective, Kelly Jackson Higgins notes that 36% of data breaches occurred because of an unintentional employee act. Such an act is usually avoidable, and proper training goes a long way towards avoiding those kinds of mistakes.
Yes, not every problem lies in your health information technology. Sometimes, you need to look at something a little old-school to keep your data safe. You may have the most secure EMR and EHR system in the world, but ignoring paper record security can just as easily lead to a data breach. The security of your paper records goes hand-in-hand with proper training, as paper records resulting in a breach can occur from a lack of training. For example: leaving a file open on the front desk, or, even worse, leaving records out in the open unlocked. Despite your digital data being the most easily accessible by hackers, you can’t forget about securing good ol’ fashioned paper records as long as you have them.
Although these strategies will drastically reduce the likelihood of a data breach, the reality is that owning any kind of valuable data carries inherent risk. Cyberexpert Jim Lewis says that you have to “Think of it as a continuum of risk. You can do nothing, and you’re at 100% risk. Or you can do a lot and you can get the risk down to 10% to 15%.”
Now don’t fret healthcare businesses; there’s still good news. According to studies done by security rating firm BitSight, healthcare information security has improved of late. Comparing the average security ratings for the healthcare industry from 2015 to 2016, the industry as a whole improved by 5%. Clearly, the industry is becoming more proactive about reducing data breaches. Hackers beware; the industry won’t be vulnerable for much longer.