[Editor's Note: Today's guest post was submitted by Milica Vojnic of Wisetek, an IT Asset Disposition company that helps businesses in the healthcare industry to ensure they do not suffer a data breach. We have no financial relationship.]
No industry has been left unaffected by the ongoing digital revolution, including the healthcare industry. Long gone are the days of paper patient charts and large files containing a lifetime of medical history. Instead, doctors and other healthcare workers can now access the data that they need with a few clicks of a mouse.
In recent times consumers have become more sensitive to the protection of their personal and confidential information and authorities have responded to this with stringent data protection laws.
While the benefits of electronic medical records far outweigh the drawbacks, there are a few considerable risks associated with digital records. Since medical data contains personal and sensitive information, it is a prime target for hackers, and as such, requires extensive protection to ensure that patient data always remains confidential.
Patient Data Security Breach, A Worst Case Scenario
Imagine a situation where a hacker manages to obtain confidential patient data from a healthcare provider’s record system. The hacker could potentially use this information to blackmail or otherwise harm the patient and/or the healthcare provider. This scenario would also place the healthcare provider at risk of legal action.
In fact, this possibility of a data breach is taken extremely seriously by governments. The laws of many countries envisage large financial penalties for any healthcare provider that treats confidential medical data without the necessary care. The largest medical data breach to date occurred in 2015 when about 78.8M individuals were affected by a data breach involving Anthem Inc. (a health insurance company based in the US).
In May 2021, ransomware attacks by cybercriminals targeted the Colonial Pipeline, a major pipeline responsible for conducting gasoline to the Southeastern US. The perpetrators executed a crippling attack that raised gas prices to their highest point in over seven years at over $3 per gallon and managed to receive over 75 Bitcoin (over $5M at the time).
At around the same time, Ireland’s health care system was targeted in a ransomware attack, possibly the worst cyber attack in the country’s history. Imagine for a moment that such an attack was to target your organization. The hacker has already compromised patient records, encrypted all of your sensitive data and locked you out of it, and demands an ever-increasing ransom. To make matters worse, should you ever decide to pay the hacker, there’s no guarantee that they won’t simply destroy all of the sensitive data and cripple your devices even after being paid. That’s a worst-case scenario every organization should seek to avoid.
5 Ways to Protect Sensitive Medical Records
The risk of facing a fine or legal action due to the criminal actions of hackers is a very real possibility for every healthcare business. This brings up the question of how to protect sensitive medical records and avoid fines and potential financial ruin. Luckily, there are quite a few ways in which this can be achieved:
#1 Train Staff Properly
Making sure that staff understands exactly how sensitive medical data is and implementing appropriate training to reinforce this is the easiest and first line of defense. Implementing a formal training program that teaches employees how to interact with sensitive data also shows that a healthcare business takes responsibility towards the privacy of their patients with the necessary seriousness and builds trust and confidence with clients.
Some actions worthy of consideration include:
- Keeping confidential data secure by having your employees never share their credentials
- Logging out of their workstation or electronic device whilst away (on lunch, out of the office, etc.)
- Requiring the use of secure passwords for device access
- Keeping up to date with the operating system and software security updates
- Never sharing work devices with friends or family
- Deploying virtual private networks (VPNs) for remote workers
#2 Invest in Appropriate IT Infrastructure and Software
Doing proper research and then investing in the right software is also critical. All healthcare businesses, irrespective of their size or activities, can benefit from having top-notch firewalls, VPNs, and anti-virus/malware software installed. Businesses often shy away from spending money on this critical area due to a false perception that only large businesses are targeted by hackers and other cybercriminals, when in fact, every business is a target.
#3 Limit Access to Data
The principle of “need to know” is very applicable to healthcare and medical records. By restricting access to data to only those who need access, the likelihood of data leaks can be drastically minimized. The key is to make it possible for those who need data to access it easily and quickly while still protecting the integrity of the data. In addition to limiting access to data, it is also important to regularly perform a data access audit to ensure that access permissions are set up correctly.
#4 Control Internet Access
By limiting internet access only to mission-critical websites, healthcare businesses can avoid the problem of employees accessing unsafe sites that are often used by hackers to introduce malware to systems and subsequently gain access to sensitive data. It is also important to screen e-mails with attachments for possible malware before opening them. While controlling internet access may sound like a difficult task, it is quite easy to do, and specialized software that scans websites for any potential threats can be used to make the job easier.
#5 Encrypt Sensitive Data
Another highly effective method of data protection is encryption. By encrypting confidential patient records, healthcare providers can ensure that data can only be accessed for the right purposes. Should a hacker manage to break into a healthcare business’s data, they would not be able to do much with the stolen data since it requires a decryption key to be read.
By employing these protection methods, you can make your healthcare business as unattractive as possible to potential hackers. Much like other criminals, most hackers prefer to target “soft targets” where they can get data with little effort. By making your business a difficult target, you are effectively steering hackers away to other softer and easier targets.
Destroying Medical Data Effectively
Most forms of medical data should be stored for a set period but the responsibility to protect the confidentiality of medical data doesn’t expire. This means that healthcare businesses are required to dispose of medical records securely if they wish to avoid any penalties under the law.
Again, it’s important to remember that simply deleting data is not enough and other measures should be taken to ensure that data is truly rendered unreadable. Securely destroying data entails either the physical destruction of the hard drives that contain the sensitive records or using advanced software to completely overwrite the drives so that the previous data cannot be accessed at all.
It is often a good idea to make use of a reliable professional data destruction firm to make sure that the drives are completely erased, and that no data can be recovered from them.
One of the most secure methods of data deletion can be achieved by using a process called degaussing. While degaussing can often guarantee the total destruction of data, it is important to note that the process also destroys the hard drive and renders it useless. Degaussing makes use of a strong magnetic field to re-arrange the bytes of data on the hard drive to make it illegible.
A professional firm will be able to provide a certificate stating that the data has been destroyed responsibly and this certificate can help healthcare businesses to prove that they are complying with the legal framework regarding the maintenance and destruction of sensitive data.
Secure Transportation of Data
Remember that the destruction of data is only one part of the process. Often the healthcare business and degaussing or data destruction facility are physically separated which means that hard drives must be transported. Data is especially vulnerable during the transportation phase and it is possible for hackers to physically steal or swap the hard drives in question before the data can be destroyed. To prevent this, it might be necessary to arrange for the secure transportation of drives to the data destruction facility.
It is also important to catalog the entire process from start to finish and to identify each hard drive by the serial number so that outgoing and incoming drives can be compared to a shipping list. While this may seem like a great deal of effort, it is an essential process to remain General Data Protection Regulation (GDPR) compliant.
Prevention Is Better Than Cure
When it comes to working with sensitive data, prevention is always better than cure. By following these logical and simple steps, healthcare businesses can avoid many of the headaches that come with a data breach. In addition to reducing the risk of receiving a hefty fine that could lead to financial ruin, healthcare businesses who act responsibly with sensitive data enjoy the trust of their patients which is essential.
Spending the necessary funds on IT security and keeping on top of developments in the industry is an investment that might not seem all that important when things are going as planned but when the skies turn dark, businesses who keep on top of IT security and best practices often weather the storm much better than those who do not.
Also, remember that every business is a target. Hackers are not scrupulous when it comes to choosing their targets and they will take every opportunity that they can to gain access to sensitive data. Research continuously shows that the data held by healthcare businesses and financial institutions are at the top of the shopping list of most hackers. This is due to the extremely sensitive nature of the data and the vast quantity of information held by these industries.
What do you do in your small practice to ensure your data isn't hacked? What best practices do you follow to protect sensitive data? Comment below!