These five steps will make most healthcare providers a much tougher target. Some are things that IT professionals know they should do but don’t, usually because of time and resource pressures. Others are about simple human nature.
Step 1. Improve your data security policies and procedures and establish evidence of compliance with them.
Written procedures are the backbone of data security — they give you a reference for training, a standard to measure against and, most important of all, give everyone in the organization clear guidelines for data handling. (They’re also a powerful resource when more resources are needed).
A robust policy document is also essential for HIPAA compliance. Depending on the nature of your work, you might need policies and procedures covering up to 50 HIPAA Security standards — in fact, most healthcare providers we visit have about 10. Additional policies are needed for Privacy and Breach.
In order to meet the Office of Civil Rights (OCR) Phase II audit requirements once you establish your policies you must educate your staff and develop evidence of compliance with those policies.
Step 2. Keep your software, server OS, and antivirus definitions up to date.
If you’re an IT professional, you don’t need a consultant to tell you that outdated software, legacy systems and network devices that have passed their end-of-life date all carry inherent security risks.
But resources get squeezed, and it’s only natural that user demands and clinical imperatives take priority. This is actually a problem we see every day — and for many healthcare organizations, it has become a significant risk.
Hackers focus a lot of resources on ‘zero day’ attacks — exploiting security loopholes that exist between discovery and patching. They depend on their victims being slow to update their patches and threat signatures.
Hard though it is, the IT organization must make a clear case for the staffing and budget required to make all the relevant patches as they are received.
Step 3. Educate your people.
All the technical security measures in the world won’t help to defend your data if your users let hackers in the back — or even front — door.
Most organizations we visit give annual, online training, but it’s only when we talk to people face-to-face that they start to realize that security starts with them, and how simple personal tasks such as protecting their login details, not taking data off-site, logging out when they leave their desk and not surfing the web or clicking on suspicious e-mail links can lead to data breaches.
Step 4. Encrypt laptops and other personal devices.
Clinicians are quickly frustrated by poor hardware performance — and with their clear focus on delivering the best care for patients, that’s as it should be.
As a result, we find many hospitals have decided not to universally encrypt their laptop hard drives — believing they’re maximizing performance when data is stored elsewhere.
But it’s not just the patient record itself that’s sensitive, this approach can leave other kinds of PHI vulnerable if the laptop has been used to write confidential letters, or conduct research. Mobile devices are a particular risk, and with users increasingly bringing their own smartphones and tablets to work, the issue is only getting more complex.
It’s laudable to put as much performance and flexibility as possible into clinicians’ hands — but failing to encrypt is not a sensible option.
5. Task somebody to watch network traffic.
Often, we meet healthcare IT professionals who have every confidence that EHR privacy is well protected in their organizations by the use of network login procedures and role-based authentication at the application level.
So naturally, they’re surprised when we can still get to the data anyway.
Even though the EHR system itself may be well protected, hackers who can access the unencrypted network are able to capture interface traffic, and still get all the patient information as it’s used — albeit in raw form. In addition, the increasing use of network-connected medical devices and wireless technology — with a variety of embedded operating systems — means there are more potential entry points than ever before.