Amidst another global ransomware attack this week, the second in just over a month, many organizations are asking themselves “how secure is their healthcare data?” The US-based pharmaceutical company Merck, and a health system in Pennsylvania are among the many organizations experiencing challenges from this most recent attack. Microsoft stated the attack spread across 64 countries and multiple industries. Regardless of the size of the organization almost everyone is at risk. In 2015, nearly ninety-one percent of healthcare organizations claimed to have had at least one data breach.
The truth is, healthcare data breaches can come in many shapes and forms. Which includes instances of ransomware hacking entire hospital systems, or situations where an employee accesses patient records without proper authorization. Regardless, how the data breach occurs they all have one thing in common, they can be very costly to healthcare organizations and medical practices alike. In 2015, data breaches cost the healthcare industry nearly 6 billion. In addition to HIPAA fines and legal costs, there can be reputational damage and loss of patient trust which may be even more costly.
The bottom line is -- cyber security must be a priority -- all healthcare organizations including medical practices are at risk. Below are six best practices for keeping healthcare data secure:
- Protect the network -most organizations already use firewalls and antivirus software, in addition, experts suggest adopting technologies that limit the damage after an attack, for example, using techniques such as segregating networks.
- Educate employees- One of the top preventions from a data breach is a well-educated staff, which is why employee education on security awareness is so critical. Employee training should include information on HIPAA violations, social engineering, avoiding phishing and unfamiliar email attachments, and choosing secure passwords. Engage staff frequently in security awareness training, through the use of reminders and workplace visuals.
- Encrypt portable devices- Data breaches can easily occur if a device containing health information is lost or stolen, which is why it is necessary and important to encrypt all devices that may hold patient data. This includes laptops, cell phones, tablets, etc. It may also be necessary to implement a policy against carrying data on an unencrypted personal device.
- Secure wireless networks- Many organizations utilize wireless routers for their office networks -- this can also be a potential risk if those wireless networks are hacked. To ensure a secure network, make sure routers are kept up to date and network passwords are secure and changed frequently, also block any unauthorized devices from accessing the network.
- Install physical security measures- Although most organizations have made the transition to electronic medical records there is still a large amount of personal health data printed to paper. Medical practices should be sure to lock all file cabinets and doors while implementing the use of cameras and other physical security controls. In addition, it is important to physically secure IT equipment and other devices to office furniture.
- Develop a data breach response plan – It is impossible to ensure 100% protection from every potential IT data breach or incident, which is why it is so critical to develop a plan of action for when a breach does occur.