Healthcare Data Security: Proven Solutions to Major Problems

2015 was the “year of the healthcare breach.”

There were 5 mega-breaches which resulted in over 100 million patient records being exposed, according to IBM’s X-Force Threat Intelligence Report 2016.

And healthcare data security didn’t fare any better in 2016.

According to Symantec’s 2017 Internet Security Threat Report (ISTR), the number of reported breach incidents increased by 22 percent last year, rising to 328 from 269 in 2015 – with healthcare being the 2nd most attacked service in the “Services” industry category.

2016 was also the year of email cyberattacks on healthcare.

Symantec’s 2017 ISTR found that 54% of their emails contained spam, 1 in 4,375 emails were phishing attempts, and the number of email-borne ransomware attacks increased in 2016.

All of which resulted in data loss, revenue loss, and services shutting down.

So what can you do to stop this from happening to you?

First, by identifying your healthcare data security issues, and second, by implementing proven solutions to those issues.

We’ll show you both so you can put together a plan today to better protect your healthcare facility tomorrow, and into the future.

Healthcare Data Security Issues

There are many reasons why healthcare facilities are so vulnerable to IT security threats.

Here’s a short list of some of the most important issues that you should work to resolve:

Low Budget for Security

A 2016 report from Symantec revealed that on average, the healthcare industry only allocates 6% of their IT budget to IT security.

This is dramatically lower than most other vital industries and organizations.

The federal IT budget for IT security is around 16% at $86 billion, while the financial industry is expected to spend about $68 billion on IT security between 2016 and 2020.

The severely low budget for healthcare data security is especially troubling because hackers are heavily financially incentivized to steal medical records since they sell for so much on the black market.

High Demand for Medical Records in the Black Market

The FBI’s Cyber Division found that electronic health records (EHR) are more valuable than financial data.

While a social security number or credit card number will sell for $1 on the black market, EHRs will sell for $50.

The scariest part:

It takes twice as long to detect a theft has occurred when a hacker steals EHRs.  

And all that data on an EHR – patient names, birth dates, policy numbers, billing information – can be used to create fake IDs, buy medical equipment and medications to resell, or file false claims with an insurer.

Lack of IT security Personnel

The Report on Improving Cybersecurity in the Healthcare Industry found that a low budget for healthcare data security translates into a lack of in-house IT staff.

It claimed that most organizations lack the infrastructure to identify and track threats, analyze and translate threat data into actionable information, and act on that information in any meaningful way.

The bottom line is that most healthcare organizations won’t even know they’ve had a cyberattack until after it’s happened.

Personal Devices Used for Healthcare-Related Work

Bring your own device (BYOD) is a common practice in modern healthcare facilities.

Doctors, nurses, and administrators are permitted to use their personal tablets, phones, and other mobile devices.

According to a report from the Health Research Institute, 81% of healthcare providers allow BYOD policies. These devices are usually small and easy to steal.

They’re also extremely unsecure.

66% of apps sending identity-related information over the internet don’t use any form of encryption, and 20% of those apps don’t even have a privacy policy.

Shadow IT

Shadow IT risks are pervasive and unavoidable.

They’re also highly dangerous.

According to research firm Gartner Inc., By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.

What is shadow IT?

Any software solution that employees are using that your IT department hasn’t vetted and approved.

Most of the time employees are using shadow IT to perform their jobs better without considering the negative impact it may have on healthcare data security.

Healthcare Data Security Solutions

Even though healthcare facilities face many obstacles to achieving optimal data security, there are plenty of viable security solutions that can be implemented to overcome these problems.

Here are just a few:

Cybersecurity Training

You should do everything possible to educate your employees on mitigating as many cybersecurity risks as possible, such as:

• How to closely inspect their emails, and why to never open an unsolicited attachment
• How to safely navigate the internet and identify malicious links and ads
• The best ways to prevent remote access risks for employees working from home or abroad
• How to prevent spam
• How to get rid of adware
• How to avoid firmware security risks
• Etc.

This checklist never ends and needs constant upkeep.

Create a culture of discovery and learning in regards to healthcare data security and all forms of IT security to cultivate a knowledgeable, skilled, and safety-oriented staff.

Disaster Recovery Plan

Developing a disaster recovery plan (DRP) for your healthcare facility is key to swiftly and efficiently stop a cyberattack or lessen its financial impact.

Here are a few tips for creating a strong DRP:

• Backup all your data and ensure that your data is being captured correctly and that it can be easily restored
• Store the backed up files in the cloud or a secure facility away from the main system
• Know what kind of equipment is needed to restore your backed up files
• Keep your recovery plan in a safe location and assign members of your staff with the responsibility of locating and distributing the plan in the case of an emergency

Encrypt All of Your Data

Every piece of data being sent and received on corporate and personal devices needs to be encrypted.

All patient information, especially financial information, should be encrypted within your systems also, even if it’s just sitting on your computer.

This helps maintain a constant “cloak” over all of your data, making it harder for an amateur hacker or insider to access your data.  

Control Access

If an administrator with access to an entire system falls victim to a phishing scam, the hacker will have access to far more data than if the employee had specific access to only one set of data needed to perform their job.

Your Electronic Health Record (EHR) system and Protected Health Information (PHI) system should be tightly managed and controlled so that only people that need access to information have access.

Use a Firewall

Choosing a firewall is an important and tough choice to make when there are so many options to choose from.

Make sure your firewall comes with a VPN, built-in encryption, built-in high availability, and an antivirus – all of which you need for optimal healthcare data security.

The Next Step in Your Healthcare Data Security

Implementing our list of solutions is a good starting point for improving your healthcare data security.

But it’s only a small step in the right direction. It won’t give you everything you need for optimal security.

For that, you’ll need the help of proven IT security experts who have worked with scores of companies and organizations to refine or upgrade their security systems to guard against all forms of cyberthreats, internally and externally.

The healthcare facilities that don’t get hacked and don’t have to pay tens of thousands of dollars in ransom money to hackers are not just lucky…

They were smart enough to consult with an IT security company who could implement robust strategies to prevent hackers from ever having the opportunity to hack them in the first place.

If you want to gain access to those same strategies and understand how to effectively block intruders from invading your system…

We can help.