10 Best Practices for Healthcare Security
There’s no doubt that technology has played a pivotal role in changing our lives, both at home and in the workplace. We are now connected to the world 24 hours a day and have access to vast amounts of data in real time. It is also apparent that the pace of change isn’t likely to slow down any time soon. But there’s a downside to these new innovations—the more complex our technology has become, the greater the risk of our data and privacy being compromised. And nowhere is this more evident than in the healthcare industry.
How big is the threat? It's absolutely staggering. The scale of the problem is so significant that the Office for Civil Rights is only required to publish details of incidents affecting 500 or more patients.1 In 2015, there were 229 breaches, affecting more than 113 million patients. So far this year, there have already been 100 breaches of security. When you consider that these figures are based only on reported incidents, and that the data doesn't include incidents involving less than 500 patients, you can easily recognize that the true scope is significantly larger. In fact, reports of security breaches in mainstream media are now so common that the average member of the public isn’t even surprised any more. What they do take notice of, however, is who it happens to. If your business name or identity is involved, you risk losing patient trust and your professional reputation. One study estimated the cost to the industry at $6.2 billion a year.2 No one can afford that.
Implementing HIPAA Controls
The U.S. Department of Health and Human Services (HHS) has legislation in place to help mitigate the risks and assist organizations in developing effective data governance policies. In this context, data governance refers to a practice's ability to safeguard their patients' confidential information.3 Anyone involved in the healthcare profession needs to be aware of the Health Insurance Portability and Accountability Act (HIPAA). You can find a wealth of resources at these websites:
- www.HHS.gov - has detailed information about the legislation;
- www.healthIT.gov - has information about interpretation and compliance.
In general, this legislation mandates two types of compliance—required and addressable. The 'required' regulations are compulsory for all healthcare providers. The 'addressable' provisions are more flexible in that they take into account that not all organizations command the same degree of resources, and that compliance will be a tailored response.
Now, let's consider the best practices for healthcare security.
- Risk Assessment
The most important undertaking you can make is to evaluate the risks associated with your healthcare practice. There are many risks to consider, though some will be more relevant than others. The most common ones are:
[clist id="1474997473941" post="37529"]
Every possible risk needs to be identified and a policy introduced to deal with it. Part of the solution will also assign accountability. Your policies will also need to include contingency plans outlining what to do when a breach happens. It is better to think 'when, rather than if' because security breaches will affect every organization at some point.
Also, keep in mind that this is an on-going process that you will need to revisit periodically. The real world is dynamic—technology evolves, employees change, and government regulations are constantly being updated. Keep on top of things by scheduling regular audits.
If the undertaking feels daunting, that's because it is. Technology security is so complicated and so important that it has spawned its own industry. Unfortunately, not everyone can afford to hire a permanent consultant but what they can do is assign someone with excellent technology skills to take responsibility for the practice's security. And because security is so closely related to privacy, the roles can be combined into one.
This person will need to study the government's compliance documentation to ensure that guidelines are being followed appropriately. They will also need to ensure that current policies remain effective by reading security bulletins and observing industry trends. . Within the practice, they'll be responsible for updating operating systems and software, and ensuring that firmware for medical equipment is patched. Because of their intimacy with practice policies and procedures, they might also be a valuable asset for staff education and training. As they gain experience in their role, they'll also be able to provide important feedback to management about any potential problems that need addressing.
It might seem strange including a list of things as obvious as these but, unfortunately, most workplaces still don't get them right. Remember, many employees will have very average IT skills and it's human nature to take shortcuts. Getting the basics right goes a long way towards hardening security:
- Ensure passwords are strong. They should be at least 8-10 characters long and contain a mix of upper and lower case letters, numbers, and symbols (i.e. "!@#$%^&*()_?><"). Never include easily guessable elements like birthdates, and never write them down. Check out ubergizmo.com for suggestions.
- Ensure passwords are changed regularly. This applies to logins for operating systems and best practice medical software. It also applies to wireless network passwords.
- Use security logs to monitor suspicious login attempts and network activity.
- Remove or disable unnecessary accounts that are no longer required, particularly for ex-employees.
- Prevent unauthorized software installation. Malware and ransomware is now so prevalent that installing unvetted software just isn't worth the risk.
- Remove unnecessary software and browser plugins. Three of the most notorious security concerns for admins are Adobe Flash Player, Adobe Acrobat Reader, and Oracle Java.
- Restrict access to dubious websites. This can be done at a system administration level.
- Restrict access to social media and chat clients on work machines. Consider allowing staff the freedom during downtime to access these on their own mobile devices.
- Restrict access to physical ports on work machines. For example, USB flash drives are notorious for infecting machines as well as facilitating data theft. If you have to allow access, enforce mandatory scanning of all media upon insertion.
- Never use outdated software. Windows XP and Internet Explorer can still be found on work machines even though they haven't received security updates from Microsoft for years! If your hardware isn't capable of running the latest software, consider updating that too.
- Finally, don't assume that reputation is a guarantee of quality. For years admins blindly installed Norton Antivirus because it was the "security standard" even though there were better alternatives available. Research is critical before any important decision. For example, check out www.av-test.org to see if your security software is up to the task.
It is often forgotten just how important employees are in a modern practice—they are the interface between you and your patients. A little investment in them will pay big dividends in the long term. Employees with a vested interest in their workplace are more likely to care about security and less likely to quit. And just as medical and IT professionals need on-going training, so too do your support staff. Regular training helps remind them about good security and privacy practices, as well as ensuring they are ready to respond swiftly and appropriately when something goes wrong.
It's inevitable that at some point something will go wrong, so every practice needs to develop and document a comprehensive back-up plan. This is part of disaster planning. During your risk assessment phase you'll need to determine what information you need to back-up and how you will go about doing it. You'll also need procedures for restoring back-ups following a disaster.
Many modern healthcare management systems now include data archival solutions, with updated records stored offsite in the "cloud". You can get advice about features like this by talking to a support person from your software's developer.
Encryption is the cornerstone of digital privacy and security so you need to make sure it is employed everywhere. No patient data should ever be stored in unencrypted form. Use industry-standard encryption algorithms. Ensure all hard drives and mobile devices have encryption enabled.
If you ever need to destroy records, research how to do it effectively and permanently. The same applies when you retire old hardware. If you cannot guarantee a device has been wiped permanently, don't recycle it.
Whenever you build or update your workplace or network, do so with security in mind. Servers should be located in locked rooms. For critical areas you might even want to consider installing cameras. Choose operating systems designed with enterprise-level security. Linux is a great choice for workstations and servers because it provides superb access control. Install firewall software to protect your network from external internet threats; better still, invest in a commercial-grade hardware firewall. Wireless networks should employ the latest encryption standards and if they can't, consider upgrading to something current so you get the manufacturer's security updates.
Mobile computing is the next 'big thing' and it's almost certain that mobile devices will eventually become part of your practice's network at some point. You'll need to ensure that you have policies in place to secure these devices. Policies may include restricting the removal of devices from their designated area of use or installing Mobile Device Management software (MDM) to enforce security policies on devices taken offsite.
Cloud computing is the other area of rapid growth. If any of your data is going to be accessible over an internet connection you need to be absolutely certain it is secure. Work with the vendor to ensure security is included in every facet of their system. If there is any doubt, choose a vendor with a proven track record.
We've already said it several times but it's so important that it deserves its own place on our list—documentation. All of your security and privacy policies need to be fully documented to be compliant with legislation. Not only that, but every time you update your policies you must also update your documentation.
Your documentation will serve as an essential reference during your regular procedure audits, as well as the training foundation for your employees. In an emergency, such as a security breach, they will provide you with a well-planned strategy for mitigating the impact of the disaster.
Curiously, security isn't an attainable state; it's an evolving ideal which you can never take for granted or become complacent with. For this reason, regular evaluation of policy and procedure is an essential part of the data governance process. You'll need to critically assess all of the items on this list to determine what is working well, what needs improvement, and how you might go about doing it. This could be done internally or through external audit, depending on your practice's size and resources. The good news is that by following a systematic approach, even the smallest healthcare practice will be able to comply with regulations and ensure its sensitive and confidential data is protected.
References
https://www.healthit.gov/providers-professionals-newsroom/top-10-tips-cybersecurity-health-care
Implementing HIPAA Controls