Data Security in Health Care : How HCOs Can Go About Safeguarding PHI

Protecting sensitive and personally identifiable information (PII) has become a main priority for health care organizations (HCOs). Not only do medical professionals need to be able to access patient files regularly, they must also comply with strict industry regulations that detail how this Protected Health Information (PHI) can be stored, modified and guarded. If anything happens, it could result in major fines and other consequences. In fact, health care data breaches are the most expensive, costing $380 per record, 2.5 times above the global average across industries, according to a report by IBM and Ponemon Institute.

Although the monetary cost of a data breach has dropped 10 percent, attackers still see health care data as the most lucrative path to a payday. Medical institutions cannot become complacent in the face of advancing cyberthreats and must step up their safety measures. Let’s take a closer look into how health care organizations can improve their data security and safeguard PHI.

1. Provide Comprehensive Training

Human error remains one of the biggest causes of data breaches across the board, but particularly in health care when personnel are unaware of potential risks to information security. Some medical organizations might have smaller security teams and budgets, leading to a general lack of protection. Employees are going to be the first line of defense to prevent issues like phishing and malware from getting through. However, phishing techniques are becoming more sophisticated to appear as though the communications are coming from a genuine source. When workers fall for these tactics, malicious parties can gain access to critical business resources and other information.

Employers can learn data security best practices through regular training sessions.

Education is going to be one of the greatest weapons to combat advancing cybersecurity threats. Harvard Business Review suggested regularly reminding people of why it’s important to follow information security best practices by establishing required training regimens and strategic notices. Because threats are constantly evolving, one training session will not be enough to inform users about protecting business data and themselves. Your strategies should advance with current trends to help employees understand and respond to threats appropriately.

2. Establish a Backup Strategy

While some threats like phishing can be avoided with user knowledge, there are other risks that are seemingly unavoidable. Some attacks might leverage a vulnerability within your operating system or application without you knowing. Other viruses might download simply when a user clicks on the wrong thing. Ransomware in particular has become more dangerous and difficult to remove. The case of WannaCry serves as an important reminder for why organizations must do their best to protect their critical assets.

Hackers who send ransomware will ask you to send payment in order to release your data. However, there’s no guarantee that the attacker will follow through, and you could end up being a victim again because they know you’ll pay. The best thing to do for ransomware is to use your backups to reinstate your infrastructure. You should have three different copies of your backup, stored on two different types of media, with at least one offsite. Health IT Security contributor Bill Kleyman noted that it’s extremely important to test your backup regularly to ensure you can recover quickly and have the right information available. Establishing a good backup strategy will help get you out of trouble with ransomware, preserve data security and improve your business continuity efforts.

“Clear and concise guidelines will help leaders protect themselves and monitor their systems effectively.”

3. Follow Industry and Federal Regulations

It can be difficult to know where to start when it comes to tackling cybersecurity. Fortunately, there are a number of standards that health care organizations can follow to improve their data security. The Health Insurance Portability and Accountability Act, for instance, was specifically created to provide data privacy and security provisions regarding medical information. HIPAA has been modified over the years to provide specific guidance about how data should be stored and managed, as well as the potential consequences for noncompliance.

More recently, the U.S. House Committee on Science, Space and Technology passed the NIST Small Business Cybersecurity Act of 2017. This bill came as an effort to provide SMBs with the necessary resources to identify, assess, manage and reduce cybersecurity risks, Health IT Security editor Elizabeth Snell wrote. Clear and concise guidelines will provide necessary guidance for leaders to better protect themselves and monitor their systems effectively. Small businesses are especially vulnerable to cyberattacks, and the new instructions will help companies that believe the cybersecurity is too expensive or too difficult.

Health care data continues to be the most targeted information for hackers, making it extremely costly for a medical institution to get breached. By following industry recommendations, establishing a backup strategy and providing comprehensive training, health care organizations can significantly improve their data security capabilities.

Several health care organizations have started using a hybrid approach involving a combination of layered security and automated maintenance scheduling. In this approach, a multi-pronged setup involving application control, computer lockdown, reboot to restore software along with real-time protection (i.e anti-virus/ anti-malware software) is utilized. To learn more about how these tools and best practices can help health care leaders protect their sensitive data, contact Faronics today.

Matt Williams

A self-proclaimed ‘tech geek’, Matt has worked in technology for a decade and divides his time between blogging and working in IT. A huge New York Giants fan, when not watching football Matt gets his game on playing Call of Duty with his friends and other tech bloggers.