People tasked with keeping healthcare data safe can’t assume they’ll never get breached. The best assumption is that the information is always at risk.
Being proactive is vital to reduce the chances of healthcare data getting compromised—especially considering how valuable that information is to thieves.
Not to mention how plentiful it is. Many hospital databases hold records for tens of thousands of patients, if not millions. The quantity of valuable information available makes hackers want to target hospitals, outpatient centers, and similar sites.
A cybercriminal could illegally obtain records containing patients’ private information, including their illnesses, payment details, and more, and hold all that information at ransom for a high sum.
With that danger in mind, this article will explore some of the biggest data protection challenges in the healthcare industry, and how hospitals and other organizations can minimize their adverse effects.
Ransomware attacks occur when hackers lock down data or systems and require the affected parties to pay ransom to restore the information. They’re increasingly common—and deadly, with damages expected to cross $30 billion by 2023.
Worse, paying up doesn’t always get the results the victims want.
A 2021 Kaspersky study indicated that more than 56% of respondents paid the ransom. However, 17% didn’t get their data back after doing so. Moreover, many people had trouble fully restoring their rightful access. For example, 32% lost several files despite their best efforts.
Only 29% of people experiencing ransomware attacks reported they could eventually access all their files again.
2. Improper data handling
Healthcare facilities are busy places, and many workers are under high pressure while juggling many tasks. These combined challenges mean they don’t always handle data correctly, which can leave the door unlocked, so to speak, for hackers.
The COVID-19 pandemic put health care workers under additional strain, which could ultimately compromise security.
A 2022 Verizon report about health care breaches found employees are more than 2.5 times likelier to make mistakes that compromise data than to misuse their access maliciously. The top two mistakes were losing or sending data to the wrong place or person.
3. Uncertainties over data used for some health research
Healthcare data has always been an integral part of medical research progress. The information researchers get from patients is instrumental in learning about potential new treatments, understanding how specific symptoms could be signs of diseases, and more.
However, treating the information carefully and ethically is vital. The trouble is that current data-handling practices typically don’t account for artificial intelligence (AI). In other words, they may be out of view of human web browsers, but are fully open to AI crawlers, who can then pass them on to bad actors.
Relatedly, there’s a so-called black-box problem where it’s often impossible to work backward and see how AI algorithms reached certain conclusions.
4. Third-party health company issues
Healthcare organizations have different policies and strategies surrounding data, some of which can lead them into trouble. Consider how the Federal Trade Commission gave prescription drug comparison service GoodRX a $1.5 million civil penalty for providing consumer health data to Google, Facebook, and others without disclosure or user permission.
In another instance, mental health telemedicine company Cerebral admitted a data breach that disclosed protected health information to third parties. The issue reportedly affected more than 3 million patients.
5. Poor internet hygiene and data security practices
Many people who handle healthcare data don’t follow best practices for keeping it safe. This issue especially is one that spans numerous industries. One study revealed that 63% of people reuse passwords for work devices and accounts. These reused passwords provide hackers access to more sites.
One healthcare system executive had their work laptop—containing over 40,000 medical records—stolen from a locked car. The device’s information was unencrypted. Parties from the affected health care system spent more than $200,000 dealing with the event’s aftermath and improving policies to reduce the chances of something similar occurring.
How to secure healthcare data
There’s no universally guaranteed way to keep data safe. But here are some best practices to consider, including backing up your data, establishing clear guidelines, and providing training and encouragement to workers to handle private data responsibly.
Keep data backed up
A 2022 study of global health care organizations indicated 57% of respondents had suffered ransomware attacks during the past three years.
One-quarter admitted those issues had halted operations, while 60% said they affected some business processes. Additionally, 56% said it took days to restore operations, while 24% indicated it took weeks.
Having current data backups minimizes the timeframes for ransomware recovery, since it diminishes the urgency of engaging with cybercriminals to restore it.
It doesn’t fix every problem though. IT teams must still determine how the hackers caused the breach and fix the issues, prevent any sensitive data from being abused or released to the public, and collaborate with law enforcement on catching the criminals responsible for the attack.
Consider pursuing independent accreditation
Many health care facilities undergo independent accreditation processes to see how well they meet industry standards. This can improve operations and enhance reputations.
Evidence also suggests accreditation can raise confidence when insurance providers consider what kind of packages and rates to offer.
Data handling measures and overall cybersecurity are only some aspects related to accreditation. They’ll help your organization run more smoothly and efficiently overall, so there’s less chance of important issues slipping through the cracks.
Establish clear guidelines for health data used in research
Health data has been an essential part of research for decades. However, people use it differently now, including while working on big-data platforms and with AI projects.
Now is an excellent time for healthcare executives, IT teams, and researchers to iron out the specifics for treating data in research, especially since this work often involves collaboration between multiple organizations.
Evaluate third-party health companies’ privacy policies
IT teams should create and distribute documents emphasizing patient data doesn’t necessarily stay within a healthcare organization’s walls.
For example, a hospital may use a third-party service for appointment setting or billing. Executives should thoroughly vet all their external providers and be careful who they entrust with important organizational data.
Meanwhile, all patients should carefully read the privacy policies of any third-party health service before using it. (In fact, this is good advice for any organization people are giving their information to. Those long blocks of text might make your eyes glaze, but they can save a lot of future headaches!) They should also set strong, unique passwords and never access health data over public Wi-Fi.
Provide ongoing cybersecurity training for workers
People will more likely understand how their actions affect others in an organization when data security is part of the culture. All workers handling data in any capacity should receive regular, continuous cybersecurity training.
Employees must also learn to report cybersecurity breaches or strange activity they notice on the network, whether or not they might have caused it.
4 security tools all healthcare organizations should use
A robust tech stack gives organizations the necessary tools to prevent attacks. Here are some of the most frequently recommended types.
Firewalls allow organizational IT teams to set specific parameters that filter a network’s ongoing and incoming traffic. A firewall is the primary barrier between a healthcare facility’s private network and the public internet.
Intrusion prevention systems
Intrusion prevention systems (IPSs) are specialized hardware or software tools that continuously monitor network traffic for unusual activity and take action when encountering it. They might block the traffic or alert the appropriate parties.
Network access controls
Network access controls (NACs) permit or deny people to utilize a network based on certain combined credentials and characteristics. For example, IT managers may specify that someone can’t access the system if trying to log in from an unusual location—even if they have the proper credentials.
Endpoint security encompasses the tools and measures that stop hackers from potentially turning user-facing devices into access points. This might mean running antivirus software and ensuring employees are using updated operating systems.
Healthcare data security standards
People working in the healthcare field and handling data must follow several security-related standards, including HIPAA, GDPR, HITRUST CSF, and ISO/IEC 27001.
It’s critical not only that these standards are in place, but also that employees are well-versed in their applications. Any breaches found to be caused by negligence on the part of the organization could result in further damages due to fines and lawsuits.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law associated with standards protecting patient medical records from unauthorized disclosure. The HIPAA Privacy Rule applies to all organizations and individuals considered covered entities, including healthcare providers, medical insurers, and any of their business associates.
The General Data Protection Regulation (GDPR) is a privacy law applicable to data-handling practices of European Union residents. Though technically it only applies to organizations specifically targeting these people, it is best practice to stay on the safe side of the law by implementing it in any organization that may do business in the EU.
The GDPR governs the collection, processing, and usage of data. Health information is a category that receives especially stringent GDPR protections because of its sensitive nature.
HITRUST Common Security Framework
The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) provides certifiable parameters to assist healthcare providers in demonstrating their security and compliance practices.
HITRUST gives HIPAA-covered entities, cloud providers, and others a benchmarking system to verify compliance with regulatory standards.
The CSF has specifics across 19 domains related to cybersecurity. Organizations can go through self-assessments or become CSF validated or certified.
ISO/IEC 27001 and ISO 27799:2016
These standards from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provide detailed controls for handling certain types of sensitive information.
ISO/IEC 27001 relates to information security management systems. Organizations abiding by this standard have developed risk management systems that protect relevant data and focus on continuous improvement.
ISO 27799:2016 is a standard specifically for health informatics. It applies to digital documents, handwritten notes, medical images, and sound recordings. It also pertains to how people transmit and receive this information.
The National Institute of Standards and Technology (NIST) Framework
The NIST framework originally only applied to federal entities and contractors, making it non-applicable to private healthcare bodies. It is now broader in focus and voluntary for non-government organizations—including those in the health care field.
An optional addition to your security policy, it’s intended to help businesses better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
Payment Card Industry Data Security Standards (PCI DSS)
All healthcare organizations that accept payment for goods or services must comply with PCI DSS. It covers processing, storing, and transmitting payment card data. Organizations risk fines for failing to comply with this internationally recognized standard.
Bottom line: Securing data for healthcare organizations
Appropriate data security measures in the healthcare industry are essential. Organizations that don’t follow them risk breaches or information misuse. Such issues could compromise patient care and harm a facility’s reputation. In an industry dealing with such a high volume of extremely sensitive data, there’s little room for error.
Fortunately, knowing the risks and taking steps to mitigate them can go a long way toward keeping your patients’ data—and your organization—safe.
We evaluated the best enterprise security companies for end-to-end network security, so you can keep your practice on track.