Information security continues to be a challenge for healthcare organizations across the country. As of December 2019, the Department of Health and Human Services’ Office for Civil Rights reported that 41,232,527 healthcare records were breached since January of that year. This makes 2019 the second worst year on record for reported healthcare breaches. Hacking/IT incidents lead the list of causes followed by unauthorized access or disclosure, and theft came as the third most common cause. Other causes included loss and improper disposal.
Email was the most common location of breached data. Other locations included electronic medical records, paper/hard copies, servers, laptops, desktop computers, and portable devices. These statistics highlight three areas of elevated risk: email, paper/hard copies, and servers.
What can healthcare organizations do to be diligent and reduce risk? The bad news is, there is no way to fully secure information from potential misuse or abuse, but that doesn’t mean risk can’t be dramatically reduced with the right kinds of effort. A good start is developing a security program that is risk-based and prioritized. HIPAA legislation suggested some places to start, and security frameworks like the NIST Cybersecurity Framework (CSF) are great tools being based on several decades of growing maturity in information security principles and practices. Building a security program based on the NIST CSF and a routine, rigorous HIPAA risk assessment process is a great approach to begin reducing risk in your organization. There is a lot of detail involved in running a security program that is beyond the scope of this article, but let’s quickly focus a bit on the top three breach locations from last year.
This area stood out amongst the other locations due to sheer number of breaches. You’ve likely heard about email phishing by now, and that is the core reason why so many of these breaches occurred resulting in exposure, and in some cases, loss of data due to ransomware attacks. Email phishing consists of rogue emails masquerading as legitimate senders attempting to gain an action, or very often, attempting to gain your login credentials by sending you to a rogue login page for a service you may commonly use. This type of attack is difficult to protect against, because it involves human judgement in addition to automated security measures for protection. Of the available ways to address this risk area, user training and two-factor authentication rise to the top of the items that are most promising. User training should involve not only awareness and education but also be combined with routine email phishing testing. These tests involve your team or a trusted vendor sending out test email phishing messages and measuring the success of your users reporting these emails versus clicking on them and “taking the bait”. The combination of these two processes provides a feedback loop whereby your organization can assess if your training efforts are working and also know when to provide more training and testing. This should be an ongoing process.
We live in a digital age, but paper and hard copies still exist throughout the healthcare space for a wide variety of reasons. Paper can actually be more easily secured from risk than electronic information in certain ways, but it requires human diligence. The key measures for securing paper involves physically securing it to only authorized personnel, and special diligence must be placed around securing the paper documents when authorized personnel move away from workstations or places where the paper is being used. This includes throughout the daily processes as well as after shifts end. Lastly, proper destruction of paper records must be available and highly convenient for all to use so that paper documents are not thrown in the trash or left around once they are no longer required. Proper shredding devices or shredding bins must be spread throughout your organization combined with routine training on the importance of utilizing these resources. It is also critical to have people that routinely check areas that are prone to paper documents at the end of each shift to ensure no documents are accidentally left either unsecured or not destroyed when no longer in use.
This location of breaches usually lends itself to more technical means of reducing risk. One of the largest reasons for risk in this area is lack of software patching rigor. There are many tools available today to help manage patching processes, and this must be something your technology staff/vendors take seriously, have a rigorous process in place for, and audit routinely. Another great tool in this space is routine vulnerability testing by internal resources and tools as well as third-party vendors. Vulnerability testing can find holes in your patching processes and misconfigured systems, holes that haven’t been patched by software vendors, and other issues. Data encryption is another tool to help reduce risk on servers. This is by no means a full list of protections for a server environment, but these are some of the best places to start to ensure your organization is being diligent in this area.
We are all stewards of the data our organizations have been entrusted with. There are clearly growing challenges in securing all types of data, and healthcare data has grown recently for interest by untrusted parties trying to obtain it for criminal and other nefarious activities. It is critical that we all work together as employees, businesses, business partners, and practitioners of all disciplines to ensure data is protected and used for intended purposes. Security is truly a job function that every one of us has to take on personally no matter what our job description is in order for us to reasonably reduce the risk in this day and age. Security is no longer the job of just your IT department.