How to Prevent Security Breaches in Healthcare
Healthcare is a top target for cyberattacks and other security breaches – and healthcare security breaches continue to trend upward. According to Becker’s Hospital Review, one out of every three large data breaches involve a hospital or health system. These breaches are not only threatening to the personal privacy of patients, they bring the risk of major compliance fines, long-lasting damage to reputation and trust, and can even bring a hospital or health system to a standstill, disrupting the ability to deliver care and putting patient safety at risk. Fighting back against this trend and preventing security breaches in healthcare requires a broader understanding of the risks and key vulnerabilities – and a comprehensive data security and identity authentication program to mitigate these risks.
The importance of data security in healthcare
Breaches in healthcare reached an all-time high in 2021, continuing an upward trend that’s seen the number of breached U.S. health records more than triple in the past three years. Healthcare records are a popular target for a simple reason: Medical records are worth up to 40x more than stolen credit card data on the dark web. That’s because health records typically include everything from Social Security numbers to health plan beneficiary information and even biometric identifiers – in addition to often including financial account information.
But the bigger story is that growing security breaches in healthcare are directly tied to the digital transformation of the healthcare industry. Today, the delivery of healthcare is fully dependent on data. Connected devices collect vitals and other patient health information that informs care. EHRs store that information and drive care workflows from authorizing procedures to prescribing medications. Everything from the simplest to the most complex and advanced treatments are now delivered using digitally enabled technologies. Digital infrastructure undergirds the facilities and spaces where that care is delivered – keeping the lights on, controlling complex HVAC systems, and controlling physical access and security. Now, the rapid growth of telehealth layers on additional data security needs. Providers are integrating third-party technologies and web-based platforms to make telehealth seamless and convenient for patients and efficient for providers.
Data security is critical to protecting this entire ecosystem. Done well, a comprehensive data security program drives three core outcomes:
- Patient trust & loyalty
Today’s patients-as-consumers are empowered to seek out the “best” care – and they’re increasingly sensitive to data privacy. An effective data security program protects against the reputation damage – and resulting patient volume losses – of a data breach.
- Care quality & patient safety
Ensuring uninterrupted access to patient health information and the functioning of critical technologies and systems is fundamental to healthcare providers’ most basic goal: delivering high-quality care and mitigating patient safety risks.
- Avoiding costs associated with breaches
Healthcare is already at the leading edge of data privacy regulations, and continually tightened requirements mean even small breaches could lead to significant fines. But fines are just the tip of the iceberg when it comes to the full cost of a security breach. For example, a midsize hospital can expect a typical cyberattack to shut them down for an average of 10 hours – at a cost of $45,700 per hour.
What are the major data security issues in healthcare?
The overarching issue is the exponential digitization of every aspect of healthcare, as mentioned above. No doubt, this digital transformation is delivering enormous benefits to patients and providers alike — and will continue to unlock powerful new possibilities and potential in the coming years. But it also presents significantly heightened security risks, most simply because it creates a much broader and more complex digital ecosystem, with vastly more points where a bad actor could gain access or data could leak or be exposed. A spring 2022 report identified five key sources of data security issues in healthcare:
- IoT connected/”smart” medical devices: The number of connected devices in hospitals and clinics continues to grow exponentially. U.S. Health and Human Services (HHS) reports that more than half of the most commonly used connected medical devices are vulnerable to cyberattacks.
- Surging use of telehealth: The pandemic-induced shift to telehealth and mobile healthcare is proving to be here for good. Patients accessing healthcare outside the traditional “perimeter” of data security brings a host of security risks and challenges.
- The Cures Act: The 2016 Cures Act aims to reduce barriers to system and device interoperability in healthcare. This directly supports and accelerates technological innovation, but it also presents additional points where data can be leaked or stolen in transit.
- Under-resourced IT departments: Staffing shortages and budget shortfalls are hitting every department in the hospital, and this can lead to things like security patching to fall through the cracks and technology stacks not being updated and strengthened to keep up with modern demands and risks. Moreover, HHS reports that the typical hospital is simply “outgunned” by cyberattackers from a technology and staffing perspective.
- Lack of employee security training: The human factor is still the biggest security risk, whether it’s clicking on a phishing link, losing or sharing credentials, or letting unregistered visitors into the facility.
In fact, it’s estimated that 3 in 4 healthcare security breaches stem from one of these five core issues.
5 Strategies to Prevent Breaches in Healthcare
Start by focusing on protecting patient data
The most fundamental data security strategy is to focus on protecting the patient data that powers modern healthcare delivery – putting the right technologies and processes in place and building a culture of data security. To ensure the availability and integrity of patient data, hospitals and health systems should take several measures:
- Encrypt and tokenize all patient data – while in transit and at rest – to protect it from unauthorized access
- Enable digital signing of patient records to maintain a secure chain of control over patient data and help mitigate fraud and forgery risks
- When sharing or moving patient data, all personally identifiable information (PII) should be tokenized to further protect patient privacy
Check all the compliance boxes
In addition to the clinical importance of patient data security, hospitals and health systems need to achieve and maintain compliance under a range of ever-tightening regulatory requirements – from HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, to General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Electronic Identification, Authentication and Trust Services (eIDAS) and more.
For most healthcare organizations, facilitating compliance with HIPAA is the biggest focus. Here are four areas of data security focus for HIPAA compliance:
- Strong authentication: HIPAA puts a high priority on limiting, controlling, and monitoring physical and digital access to spaces, assets, and data. Give authorized users high-assurance, credential-based authentication that allows them to quickly and easily authenticate identity and access privileges.
- Digital certificates: Digital certificates complement strong authentication in confirming the identity of a device, server, or user. A robust digital certificate program is increasingly critical to enabling the frictionless, fully integrated ecosystem of connected IoT devices within a hospital or health system.
- Data protection: HIPAA stipulates that protected health information (PHI) should be encrypted unless a “reasonable and appropriate” justification is given. In addition, effective data encryption – both in-transit and at rest – can help organizations to avoid significant penalties in the event of a breach.
Reinforce data security around critical digital architecture
The standards and best practices of data security that have been used to secure desktop workstations and legacy, on-premises technologies simply cannot keep up in the age of cloud-based apps, mobile-enabled connectivity, and perimeter-less technology stacks. Hospitals and health systems need to build a future-proof security stack that is capable of enabling the instant, frictionless access that’s needed, while simultaneously thwarting the growing risks of cyberattack, fraud, and breaches. Here are three areas to focus on:
- Take steps to protect EHR systems: Digital certificates for IoT devices; password-less logins; high-assurance, credential-based authentication; and Federal Information Processing Standards (FIPS)-validated hardware security modules (HSMs) can help your organization protect the digital integrity of your EHR system and prevent security breaches in healthcare.
- Secure IoT devices: Enterprise-grade encryption and digital signatures, together with a root of trust protecting the underpinning cryptographic keys, should always be used as a best practice to ensure a secure environment.
- Protect hardware and firmware: A high-assurance digital infrastructure needs to use keys, certificates, and end-to-end encryption to also to ensure the authenticity and integrity of the firmware that powers smart, connected IoT devices.
Use smart data security tech to enable a modern, productive workforce
The “new normal” has reshaped the way the healthcare workforce works. Providers interact with patients virtually through telehealth and mobile health services. Clinical and administrative staff embrace remote and hybrid work models. Enabling these new ways of working is essential to expanding and enhancing the way care is delivered. It’s also critical to protecting economic outcomes, as well as attracting and retaining staff in the face of relentless labor pressures.
- Integrate next-gen technologies: The pace of innovation in the world of productivity and collaboration technology keeps accelerating. These are the tools and technologies that allow clinicians and staff to work in new, smarter, and better ways. A hospital or health system’s ability to rapidly integrate new technologies depends on having an agile, future-ready security tech stack that’s capable of putting the necessary authentication, encryption, and other data security measures around new apps, new integrations, and new workflows.
- Enable frictionless access: The value of innovative new technologies is limited by the ability to quickly access them – and hop between them to deliver care and carry out key workflows. Achieving the full potential of digital transformation – from the productivity benefits to improved care quality to better patient and staff satisfaction – hinges on enabling this kind of frictionless access.
- Support workforce flexibility with physical security: One of the most overlooked impacts of a hybrid work model is that it often necessitates changes in physical security and access control programs. From enabling authorized staff to access facilities outside of standard shifts, to facilitating contactless check-in for patients and visitors, to onboarding and offboarding staff and volunteers, hospitals and health systems need to re-evaluating gaps and issues in their physical security program that may present risk to patient data privacy and security.
Facilitate and protect remote healthcare delivery and digital transactions
Patient demand for telehealth, mobile care and other virtual and remote care delivery options is here to stay. Healthcare organizations, too, have recognized the many benefits of these new modes of care delivery. But delivering the convenient, personalized, and private experiences patients expect – and realizing the potential to expand access to underserved populations while driving efficiency – brings an entirely new set of data security challenges.
- Onboarding and authenticating remote patients: The simplest data security challenge with remote healthcare delivery is simply authenticating the identity of a patient who is not physically present. Healthcare organizations need to put technologies in place to enable secure, self-service, patient identity verification. They also need to build new workflows for onboarding new patients in a fully virtual care scenario.
- Protecting PHI in cloud-based care delivery: Connecting with patients and delivering care through web- and cloud-based apps means that an incredible amount of PHI is now zooming back and forth well outside the safety and security of the traditional network perimeter. A comprehensive data protection strategy needs to include advanced, end-to-end encryption, robust certificates, and public key infrastructure (PKI) in order to facilitate the seamless exchange of patient data, while protecting it from being leaked or stolen.
- Wearables and device security beyond the perimeter: Beyond basic primary care visits, the biggest driver of remote healthcare delivery is the advance of connected medical devices that enable providers to monitor and react to patient health information in real time. This ranges from “smart” healthcare devices like CPAPs, dialysis machines, and pacemakers to the booming growth in wearables like smartwatches and continuous glucose monitors. Healthcare organizations need to not only protect the transfer of PHI from these connected devices to their internal systems, but also put strong data security technologies in place to protect the hardware and firmware of the connected devices themselves.
- Securing digitized transactions and payments: Sophisticated digital signing technologies play a critical role in both the front and the back end of remote care delivery. Healthcare organizations need a secure, seamless way to quickly and confidently authenticate provider orders like lab requisitions and prescriptions. On the back end, they need to ensure the authenticity of insurance claims, as well as provide the technological infrastructure to enable patients to make secure payments.