How to Digitize Your Practice in 4 Easy Steps – Part 4: Keep it Secret, Keep it Safe

Posted by James Kanka on

Health_Security

The number of customers affected by data breaches in the healthcare industry this past year have been staggering:

  • Anthem Blue Cross: 80 million customers affected
  • Premera Blue Cross: 11 million customers affected
  • Community Health Systems: 4.5 million customers affected

The Anthem breach, the biggest one yet, is expected to have damages that exceed its $100 million insurance policy.

That kind of money is quite attractive to thieves. According to PwC, the private information attackers were after can command $1,300 per patient record on the black market.

Between electronic medical records and bring your own device trends (or “shadow-IT”), the transition from paper files to tablets, and a whole host of other “digitizing” practices are changing how we view patient privacy.

The process of securing your patient’s data can be daunting – especially if you’re a small business without an IT department.

However, the fact is that in the majority of these breaches, both within and outside the healthcare industry, implementing well-known security measures could have prevented these attacks from happening in the first place.

Securing your data with these measures is a must if you want to avoid a data breach – even the smallest breach for a small business can be enough to send it into bankruptcy.

A full explanation of all these measures requires a certified security engineer. While they may be pricey, it’s well worth the money.

But like implementing any piece of technology, you should never go into the security contracting process without knowing some of the industry lingo to help you understand what is being recommended to you.

Here’s some of the measures your security engineer may tell you about:

Firewalls:

These are hardware or software devices that filter traffic based on certain criteria such as where the traffic is going, where it is coming from, and what kind of traffic it is. Most routers these days come with a firewall built in, but to get full protection it should be configured by a security professional.

Intrusion Detection and Protection System:

These are devices that are placed across your computer network that are able to detect and/or react to cyber attacks. There are a few different types of IDPSs based on whether they just detect an attack or whether they detect and respond (passive vs. active), whether they sit on a networking device like a router or on the host system like your desktop computer (network vs. host), and how they analyze the traffic (knowledge based vs. behavior based). This last one is of special importance, as one security analyst said that a behavior based (aka anomaly analysis) IDPS could have prevented the Anthem attack. Whereas a knowledge based system utilizes a library of known attacks to determine if the network traffic is friend or foe, a behavioral-based system looks to see if the traffic is deviating from normal traffic patterns.

Encryption:

This is a process of using letters, numbers, and mathematical formulas to make your data unreadable to outsiders. There are thousands of different encryption techniques and technologies. For instance, HTTPS, which is a secure internet protocol, you probably use everyday. If you have any kind of patient data, there are probably legal requirements that say it should be encrypted – and if not, you should be encrypting anyways. Encryption is one of the simplest ways to make sure your patient data stays private.

Penetration testing:

Penetration testing is when a professional versed in information security attempts to hack into your network. They’re looking for all the vulnerabilities that hackers would be looking for in an attempt to compromise your data security. After their hack, testers will give you a report of all the weak points in your computer and network security, allowing you to patch them and prevent the bad guys from getting your important information.

Authentication:

This is the process of confirming that the user is exactly who they say they are. The most well known authentication process is submitting a username and password to log on to your computer. The general rule of them is that the more levels of authentication, the more secure your data will be (the harder it is to impersonate an authorized user). So for example, in addition to a username and password, many companies (especially in the defense industry), will also require the user to swipe their ID card into a reader attached to the computer or scan their thumbprint.

I know a lot of these technical terms may be overwhelming – but there is a good piece of news when it comes to creating a secure environment for your data. While technical controls get all the attention in the news, they will never be as important as good policy and human resource controls.

A few of these include:

  • Training users about how to detect and protect themselves from common cyber attacks (like phishing and downloading viruses and other malware)
  • Conducting the appropriate background checks on new hires
  • Utilizing secure work practices like separation of duties and task rotation
  • Making regular security reviews/audits a core part of your business
  • Limiting employee access to important patient data on a strict need-to-know basis

So now you’re ready to really protect your patient’s valuable information. Patient privacy and security is extremely important, so arming yourselves with knowledge is the first line of defense against security breaches and attacks. The next step is to find a security engineer consultant to help you implement all the security measures we just addressed.

That concludes our four part series on how to digitize your practice. We hope that this information has been informative and useful as you start on your journey to digitizing your practice.

How to Digitize Your Practice in 4 Easy Steps – Part 3: Get Your Share of the Data Gold Mine

Posted by James Kanka on

The term “open source” is thrown around a lot these days, especially when mentioned alongside the names of tech giants like Google, Facebook, and Twitter. But despite it’s deeply technological roots, you don’t have to be a software genius to take advantage of all the benefits open source can provide.

Briefly speaking, open source (and open data) means allowing public access to programming source code (the building blocks of computer software and applications) and data sets.

One of the most popular examples of open source development is the Linux operating system. This is an operating system that has been around since the early 90’s, but has developed hundreds of varieties as both professional and amateur programmers are able to access the original source code and customize the operating system to suit their own needs (and the best part – it’s free!).

A good example of open data is New York City’s open data program. You can go here to find just about every kind of data piece imaginable about the city, from restaurant health inspection grades to a list of all licensed taxi drivers and the average daily inmate population of the city’s jails.

For the healthcare industry, the primary benefits of open development have to do with data sharing and opening everything to everyone. Think about it: there are trillions of bits of medical data being collected everyday, from the newest invention in the Internet of Things, to the traditional research being conducted by Universities and pharmaceutical companies across the world. Like New York City’s data sets, these can be combined by individual practices, hospitals, etc. to come up with new insights into their own businesses and the healthcare industry in general.

So how exactly does this help you?

Imagine using Google data of the top health searches in your area for specific marketing and ad campaigns to bring in more clients. Or, using the latest research data from multiple health disciplines to come up with unique, holistic solutions to common health problems you’re seeing in your practice. You can even share your own data with other practices to increase patient awareness on topics of concern.

Of course if you’re like any law-abiding provider, your first concern about all this data sharing is the privacy of your patients. The aggregate information method of data sharing uses a collection of personal data with all identifying information removed. This is the safest way to use data without compromising the privacy of patients. If you plan on using or distributing patient data, make sure that it is completely scrubbed of all identifying information, lest you open yourself up to lawsuits and legal investigations.

The other way to use open development is by utilizing the open source code that is planted across the internet. With the right skill set, you can utilize this code to create and customize your own applications.

You can find open source code for just about everything these days, it’s all a matter of figuring out what you want to build, finding the code, and then finding a programmer to tailor it for you.

This concludes part three in our 4-part Digitize Your Practice series. In the conclusion of the series, we’ll look into the biggest concern your patients have when it comes to digitizing your practice: their privacy.