Security in Healthcare IT: Protecting Sensitive Patient Data
Keeping data secure is important in all sorts of spheres of life, from company financial information to sensitive legal documentation. But keeping healthcare data secure is particularly crucial.
The principle of patient confidentiality is not only long-established but also highly important. It is not just there to spare embarrassment and prevent patients from being reluctant to see their doctor; it can also be vital to ensure people do not face prejudice and discrimination because they have a health condition and ensure patients can make informed decisions without outside interference. And in fact, in many countries like the US and the UK, there are actually regulations in place, such as HIPAA or the Data Protection Act, to help ensure patient data safety.
Medical records, however, are necessary and vital to ensure that when a patient is being treated, the clinicians involved have all the information they need to know to help rapidly diagnose a problem, provide the right treatment and avoid giving medications that could have adverse effects. Often this can make the difference between life and death.
This access to data is invariably easier to obtain if it is in a digital record, so IT has an essential role in providing swift and accurate flows of information. However, this also means sensitive data can potentially be at risk from hacking incidents, which are used to steal it for all manner of nefarious reasons, from blackmail to identity fraud.
Indeed, ransomware is something many health service providers are all too familiar with. Last year, there was a ransomware attack on NHS 111 services in England. And between 2016 and 2021 in the US, ransomware attacks on healthcare systems have nearly doubled. In ransomware situations, by exploiting vulnerabilities in the system, hackers were able to encrypt data and demand payment to decrypt it, effectively holding hospitals and all of their vital digitized systems up for ransom.
Stealing, interfering with, or encrypting sensitive and often vital patient data in this way might have dire consequences if it hampers patient access to urgent treatment, and hackers use this to their advantage.
Clearly, data breaches are a huge problem that can be expensive to tackle and disruptive to important healthcare activity. Indeed, evidence of just how bad the consequences can be was presented by a Ponemon Institute and Proofpoint study produced last year. It found that 20% of healthcare providers hit by ransomware attacks or other cyberattacks on their IT systems saw a 20%rise in mortality as a result.
Furthermore, the study showed that 89%of the 641 organizations in the survey had experienced attacks, facing around 43 a year on average. The threat is clearly not just an occasional one, and there is always the danger that, even if just one or two sneak through, that will be enough to cause enormous damage.
Another consequence can be the legal impact of sensitive data being stolen and disclosed. As Health IT Security reported last year, one of the extra dangers can be lawsuits from affected patients seeking damages for the consequences of such attacks.
This is a particularly strong reason for healthcare providers to take every possible step to remain compliant with security regulations. The cost can be tangible in legal fees for any patients who might sue for breach of data, but the potential cost of human life if systems are compromised is even more reason to ensure that hackers cannot enact successful ransomware attacks.
Staying compliant means, you must take stringent steps to deal with threats wherever they come from. This is not just about putting up firewalls to keep external hackers out; there is also a need to prevent inside threats, which can come from employees either accidentally or deliberately leaking information to unauthorized parties.
Preventing insider threats requires a range of steps. It means training staff in IT security, so they don’t fall for phishing scams or similar actions and know how to spot and report anything suspicious. It also means your IT systems need to be designed to keep track of staff activity; for example, any instance of a staff member downloading information to an unsecured device.
Indeed, the dangers of using unsecured devices, in general, are a major concern for IT in all industries, but particularly healthcare, where the potential for patient information to be accessed intentionally or accidentally outside the healthcare environment can violate patient data security regulations. The bring your own device (BYOD) approach used by some organizations as a means of saving money on buying company tech for staff to use is generally not worth the risk. If devices that leave the healthcare campus are lost or stolen, sensitive patient data can land in the wrong hands, or the potential for these devices to access unsecured Wi-Fi networks while off the healthcare campus can make them vulnerable to cyberattacks, among many possible risks of BYOD in healthcare environments.
All this might convey the impression that in any healthcare organization, especially a large public one like the NHS, even the best efforts will leave the security apparatus with many potential holes. But there is a lot that can be done to protect your organization. Cyberattacks may be frequent, but they will bounce off a good defense like raindrops hitting an umbrella.
A key starting point is to provide healthcare staff with secure devices like the Spectralink Versity family of enterprise smartphones. These all-in-one devices provide robust, secure systems for internal communication in health sector organizations that enable data to be passed between authorized persons through secure messaging and voice, which comply with the latest and most stringent regulations and provide no easy way for the crooks to intercept information, and in fact, our Versity 95 is Android Enterprise Recommended, meaning it meets and exceeds the highest Android security standards. And, through integration with leading approved EHR (Electronic Health Record) applications like Epic, clinicians can be assured they are accessing and inputting patient data safely and securely.
Electronic Healthcare Reporter issued five top tips for achieving the goal of solid cyber security, with reliable data systems with a very low risk of being compromised.
Firstly, it advised that any employer should carefully monitor its employees and how they are using their devices. They must also be trained well so they know what they can and can’t use in the workplace. And, if a BYOD policy does operate, these devices must be equipped with encryption and secure passwords. Thankfully, with Spectralink, our AMIE® (Advanced Mobile Intelligence for Enterprises) mobile device management dashboard, IT is able to help manage these key security features across the entire fleet of devices.
Passwords were central to the second tip. Weak passwords that are easy to guess can be a major security risk, so stronger ones using a complex combination of numbers, letters, and symbols will help fortify this potential area of vulnerability. In addition, two-step authentication means there is a second element of security to get through to access data, making a breach harder to achieve.
The third tip is to have effective means of detecting any unusual activity that could indicate a data breach is taking place. Examples of this would be abnormally large amounts of data being moved, or information being transferred to an unusual device or destination.
By spotting this early and taking swift action, a problem can be tackled to at least limit the harm, if not thwart, an attack altogether. It could also be an effective way of catching anyone attempting to carry out an inside job.
Emails are another area of real vulnerability. A particular danger is when malware or ransomware is included in an attachment in an email, and someone clicks on it, which can then infect a system.
To defeat this, the email server needs to be set up to filter out and even block emails from suspicious sources. This is also an area where staff training can make a difference; if in doubt, a staff member should report suspicious emails to the IT team.
The fifth and final tip is to keep staff updated on best practices for maintaining security. Regular refresher sessions will help maintain this and prevent complacency and forgetfulness from creeping in.
These highlighted issues support the research into the risks faced by health services. A State of Healthcare IoT Device Security 2022 report noted over half of the connected devices used in hospitals have security flaws, 75% of IV pumps have vulnerabilities that, if exploited, could harm patient health, and the most common security risk is among passwords.
Partnering with an experienced security organization like Spectralink can help mitigate some security risks. Not only do our devices meet and exceed strict security standards and regularly receive security patches and software updates as new threats are identified, but we can also assist with setting up secure systems of authentication, breach monitoring, server protection, and more.
It can be shocking to learn the level of threat that is posed to healthcare providers by those who have malicious reasons for trying to steal or leak secure data. It is bad enough when it comes from those outside an organization and perhaps even more horrifying when it turns out someone is working from the inside, undermining the work of caring, professional colleagues.
However, this is the reality, and the potential for ransomware attacks and other security threats cannot be ignored and instead should be addressed proactively. There are strong regulations in place across various jurisdictions to ensure compliance and serious penalties for non-compliance. But with the right help, this is a fight you can go a very long way to winning, helping you keep sensitive patient data secure and keeping the focus on better patient experiences and outcomes.