Security experts have been heavily warned about the dangers that health IT departments face from cyberthreats,...
but those warnings haven't been enough to prevent more healthcare data breaches from occurring. Hospital IT executives want to be sure they are taking the appropriate precautions to protect their data and infrastructures. So what are some of the lessons to be learned from previous reported attacks? Are hackers bypassing commonly used security systems? What systems are the most vulnerable within a health IT infrastructure? These are some of the many questions IT executives are asking in evaluating their data security protocols.
Information on healthcare data breaches is available to the public on the HHS Office for Civil Rights' (OCR) website. This data provides insight into reported data breaches in healthcare and can be used to help prevent repeat scenarios.
As depicted on the U.S. map, one of the largest data breaches in healthcare was reported by insurer Anthem, Inc. in Indiana, which affected as many as 80 million patients. Other interesting trends can be seen in the embedded charts, namely the steady rise in the number of patients affected by healthcare data breaches in the last three years.
The OCR data shows large and small organizations are equally at risk of being hacked. Both groups are exposed to vulnerabilities such as device theft, unauthorized access and hacking. It is also interesting to note that a significant number of data breaches were caused by information leaking through emails.
The second graphic offers details about data breaches in healthcare that were reported in 2015. This year, hacking or other IT incidents have been the most frequent causes of data breaches and health plans have been the most commonly affected targets.
How to avoid data breaches in healthcare
The general takeaway from this data is that more must be done to prevent healthcare data breaches. The following are a few methods to help keep patient data protected:
- Install and implement strong network security tools that can protect the IT environment, and provide visibility over what is happening in the network to avoid data leakages.
- Monitor internal systems for unusual data transfers and abnormal server activities. Hackers are able to steal data over long periods of time and their presence can go undetected for weeks or months.
- Encrypt laptops and implement strong passwords for any device that stores protected health information (PHI). This will reduce the number of patients affected by a breach. It should be a rule that the devices of anyone who interacts with or stores PHI should be given the strongest levels of protection.
- Ensure HIPAA Business Associate Agreements (BAA) are in place with all vendors. Healthcare entities must have their own processes in place or use contract management platforms, such as iContracts or SharePoint, to obtain and keep a BAA with all of their business partners.
- Implement a strong role-based access plan so that only the appropriate users have access to PHI and audit trails are available to offer visibility into who interacts with the data.
- Audit systems frequently and employ third-party vendors to attempt to penetrate systems and perform security drills.
- Seek legal advice to confirm all compliance requirements are being met and the organization is working within all mandated regulations, such as HIPAA.
Security is a top priority for all healthcare IT executives. It is an area that will likely keep IT professionals busy and force healthcare providers to make investments to keep all internal systems safe. Without constant monitoring, data can fall into the wrong hands and patients and providers will both pay a price for such a breach.
Cloud services another opening for data breaches in healthcare
Breach at UCLA Health system exposed records of 4.5 million people
Insider threats frequent causes of healthcare data breaches