To avoid violating regulations, which could result in tens of thousands of dollars (or more) of fines and negative publicity, healthcare providers must ensure that their facilities are in compliance and be constantly on the lookout for security threats.
And “while the governance of information causes headaches for IT leaders across all industries, when it comes to healthcare, the myriad of confidentiality and privacy concerns for CIOs and health information management administrators creates added complexity,” says Ken Mortensen, data protection officer at InterSystems. One slip-up and “IT leaders risk exposing [sensitive] health information, or, even worse, contributing to an unfortunate patient outcome.”
Following are four of the biggest IT issues hospitals and healthcare facilities must deal with and steps they can take to avoid violations and breaches.
“HIPAA [the Health Insurance Portability and Accountability Act] states that healthcare providers must use ‘appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information,’” says Kate Borten, founder of The Marblehead Group. “This caveat has become a headache for healthcare IT managers, especially as more healthcare teams are using mobile devices to view sensitive patient data outside the walls of healthcare facilities. This can make it all too [easy] for hackers to view and capture sensitive or confidential patient information for unauthorized use.
“Fortunately, there are a number of ways healthcare teams can reduce the risk of hacking and improve the physical security and privacy of patient information,” she says. Hospitals can install or require privacy screens or filters be applied to all computers and mobile devices, to prevent prying eyes from seeing confidential information. And they can require that all data be encrypted.
“It’s imperative that more healthcare organizations adopt stricter data encryption policies based on PHI disclosures,” says Ken Adamson, vice president of product management at Proficio. “Encryption should be embedded directly into files [as well as used in email], with set user permissions to control who accesses information. If healthcare organizations don’t use encryption, they run the risk of having to pay hefty fines in the event of a data leak.”
It is also important that any “vendors they work with must be able and willing to enter into HIPAA Business Associate Agreements (BAAs),” says Ryan van Biljon, vice president, mid-market at Samanage.
“More than 4,000 ransomware attacks occur daily, the majority of them in healthcare, thanks largely to the high value of medical data on the black market,” says Rod Piechowski, senior director of health information systems at HIMSS. “In addition to recovery costs and collateral damage to the brand, ransomware can also be a threat to an organization’s HIPAA compliance, because it compromises the security of confidential patient data.”
To address this problem, hospitals and healthcare facilities need to implement “a good, stress-tested security program that allows [them] to identify, protect, detect, respond to and recover from security incidents,” he says. The program should also “educate, train, and test system users on phishing, a common mode of delivery for ransomware… [and] regularly update and patch all systems, including web plug-ins.”
Unsecure medical devices
“An increasing risk to healthcare networks is the ever-expanding number of internet-connected devices, such as medical devices [e.g., MRI machines], most of which are not secure or engineered to be secure,” says Mac McMillan, president & CSO at CynergisTek. “This is fast becoming the biggest shadow IT nightmare for IT managers and compliance officers. [And] managing this challenge requires asset management, strict controls on the network, network segmentation considerations, inventories and tracking of devices, [as well as] monitoring manufacturer sites for patches and upgrades.”
Moreover, “healthcare organizations must ensure that their system acquisition process includes a thorough security review before purchases are made, and that the selected systems are updated as needed to remain secure,” says Trent R. Hein, cofounder & co-CEO of AppliedTrust.
“Healthcare is trending toward BYOD because it combines impressive computing power and modern user interfaces with portability and unobtrusiveness, giving physicians the flexibility to use the device they’re most comfortable with,” explains James Plouffe, lead solutions architect of the ServiceConnect Ecosystem, at MobileIron.
“However, as technology becomes more mobile, data has become more portable and can get outside of a healthcare organization in unexpected ways,” he notes.
“In order for these devices to be HIPAA compliant, they must have a number of security features in place that preserve PHI,” says Marianna Prodan, senior product manager of healthcare at Accellion. “Secure access to content systems, a mobile container that segregates patient information from other information, two-factor authentication, offline PIN, the ability to wipe content from the phone remotely and app white listing are just some of the key mobile security features healthcare CIOs should look for when deploying mobile devices in their organizations.”
In addition, healthcare providers should use “tools like the Apple Device Enrollment Program (DEP) or Android Enterprise Device Owner Mode (DOM), [which] give [hospital] IT personnel ways to enable additional security capabilities and ensure that policies follow the data wherever it goes, rather than solely focusing on data within the walls of the health system,” says Plouffe.