The number of customers affected by data breaches in the healthcare industry this past year have been staggering:
- Anthem Blue Cross: 80 million customers affected
- Premera Blue Cross: 11 million customers affected
- Community Health Systems: 4.5 million customers affected
The Anthem breach, the biggest one yet, is expected to have damages that exceed its $100 million insurance policy.
That kind of money is quite attractive to thieves. According to PwC, the private information attackers were after can command $1,300 per patient record on the black market.
Between electronic medical records and bring your own device trends (or “shadow-IT”), the transition from paper files to tablets, and a whole host of other “digitizing” practices are changing how we view patient privacy.
The process of securing your patient’s data can be daunting – especially if you’re a small business without an IT department.
However, the fact is that in the majority of these breaches, both within and outside the healthcare industry, implementing well-known security measures could have prevented these attacks from happening in the first place.
Securing your data with these measures is a must if you want to avoid a data breach – even the smallest breach for a small business can be enough to send it into bankruptcy.
A full explanation of all these measures requires a certified security engineer. While they may be pricey, it’s well worth the money.
But like implementing any piece of technology, you should never go into the security contracting process without knowing some of the industry lingo to help you understand what is being recommended to you.
Here’s some of the measures your security engineer may tell you about:
These are hardware or software devices that filter traffic based on certain criteria such as where the traffic is going, where it is coming from, and what kind of traffic it is. Most routers these days come with a firewall built in, but to get full protection it should be configured by a security professional.
Intrusion Detection and Protection System:
These are devices that are placed across your computer network that are able to detect and/or react to cyber attacks. There are a few different types of IDPSs based on whether they just detect an attack or whether they detect and respond (passive vs. active), whether they sit on a networking device like a router or on the host system like your desktop computer (network vs. host), and how they analyze the traffic (knowledge based vs. behavior based). This last one is of special importance, as one security analyst said that a behavior based (aka anomaly analysis) IDPS could have prevented the Anthem attack. Whereas a knowledge based system utilizes a library of known attacks to determine if the network traffic is friend or foe, a behavioral-based system looks to see if the traffic is deviating from normal traffic patterns.
This is a process of using letters, numbers, and mathematical formulas to make your data unreadable to outsiders. There are thousands of different encryption techniques and technologies. For instance, HTTPS, which is a secure internet protocol, you probably use everyday. If you have any kind of patient data, there are probably legal requirements that say it should be encrypted – and if not, you should be encrypting anyways. Encryption is one of the simplest ways to make sure your patient data stays private.
Penetration testing is when a professional versed in information security attempts to hack into your network. They’re looking for all the vulnerabilities that hackers would be looking for in an attempt to compromise your data security. After their hack, testers will give you a report of all the weak points in your computer and network security, allowing you to patch them and prevent the bad guys from getting your important information.
This is the process of confirming that the user is exactly who they say they are. The most well known authentication process is submitting a username and password to log on to your computer. The general rule of them is that the more levels of authentication, the more secure your data will be (the harder it is to impersonate an authorized user). So for example, in addition to a username and password, many companies (especially in the defense industry), will also require the user to swipe their ID card into a reader attached to the computer or scan their thumbprint.
I know a lot of these technical terms may be overwhelming – but there is a good piece of news when it comes to creating a secure environment for your data. While technical controls get all the attention in the news, they will never be as important as good policy and human resource controls.
A few of these include:
- Training users about how to detect and protect themselves from common cyber attacks (like phishing and downloading viruses and other malware)
- Conducting the appropriate background checks on new hires
- Utilizing secure work practices like separation of duties and task rotation
- Making regular security reviews/audits a core part of your business
- Limiting employee access to important patient data on a strict need-to-know basis
So now you’re ready to really protect your patient’s valuable information. Patient privacy and security is extremely important, so arming yourselves with knowledge is the first line of defense against security breaches and attacks. The next step is to find a security engineer consultant to help you implement all the security measures we just addressed.
That concludes our four part series on how to digitize your practice. We hope that this information has been informative and useful as you start on your journey to digitizing your practice.