Without the sacrifice of our frontline workers over the past two challenging years, many of our communities would not have been able to receive vital care. However, while healthcare providers have been busy protecting our communities, who has protected the sensitive personal data collected in the process?
Many factors have added complexity to the healthcare industry during the pandemic – from admitting and triaging an increasing volume of patients (virtually or in-person) to managing a workforce that shifts from hospital to hospital while combating a dwindling supply of healthcare workers.
With tight resources for managing healthcare, the IT challenge to keep track of vast amounts of data being created, accessed and modified is critical. How can we ensure the need for data privacy and security doesn’t accidentally slip through the cracks?
The best starting point for reviewing data privacy and security best practices is to consider the tasks staff need to complete. Too often, complex software and hardware deployments overwhelm and fail because a business need was not considered at the design phase and the resulting solutions added complexity instead of focusing on improved user experience.
Secure Healthcare Data Best Practice
Global regulations have been introduced to guide organizations toward best practices in data protection and privacy. These include HIPAA for the US, and the GDPR across the EU. Both focus on protecting data related to individuals, Personally Identifiable Information for the GDPR, and Protected Health Information for HIPAA, ensuring that information is stored confidentially and used in an agreed manner.
The challenge in securing data for healthcare is not adherence to regulations. It is in keeping pace with ever-changing threats.
Protecting Healthcare Data Starts with Staff
No one purposely leaks data, but when dealing with hectic staff across so many hospital areas, it only takes one slip to cause a disaster. It may not be possible to run an entire cyber-awareness program, but perhaps consider short, sharp awareness videos and emails for ongoing awareness. This also helps to overcome a regular flow of new staff members in a healthcare facility.
Additionally, look to ‘gamify’ the approach with points or gift cards for people who successfully complete activities. Free coffee is always a temptation.
At the same time, enhancing security access controls to restrict access reduces risk by only allowing access to applications for users who explicitly require it to perform their role. This can be improved by using location-based controls to prevent confidential data from being viewed on terminals in public locations. Consider multi-factor authentication to enhance the enforcement of access to appropriate resources. This could be a combination of user-password and an identity card, or even biometric access.
Secure Devices are Safe(r ) Devices
There is a proliferation of mobile devices used in healthcare; tablet and smartphone applications allow specialists to make decisions at the bedside, and administrative workers can process requests faster from anywhere.
Mobile devices must be secured, but I recommend taking these guidelines a step further. All devices used by staff for accessing healthcare information should be given the same levels of device security, including:
• Central endpoint management with control of settings and application access
• Location-based controls to prevent confidential data access in public locations
• Enforced strong password and multi-factor authentication
• Remote wipe and lock for lost or stolen devices
• Email monitoring to reduce the risk of malware or data exfiltration
• Data encryption
• Prevent access for devices where the latest security updates have not been applied
• Create more restrictive policies for BYOD configurations – ideally, do not allow BYOD
User endpoints are the first step when considering ‘all devices’ – we must also add IoT (Internet of Things). Healthcare has seen considerable growth in this area, from monitoring devices to pacemakers and body scanners to cameras. Many of these devices are in use 24 hours of the day, can be hard to take offline for updates and are used in high-risk environments. For this, additional security must be considered:
• IoT devices should be managed on separate networks than user devices and monitored continuously for any abnormal behavior that could indicate malware.
• When implementing IoT, ensure that only essential services of the device are used.
• Make sure to reset passwords and apply the same policy as with end-user devices.
Run Risk Assessments on all Links in the Chain
Continuous assessment is a valuable investment in time. Most systems have audit trails or logs, but these are generally most useful after an attack to help understand the root cause. A regular risk assessment can identify new vulnerabilities that may have been introduced in upgrades or configuration changes and highlight any supply chain risks. The key steps in an assessment are:
1. Determine what needs assessment: It is not practical to assess a large organization at one time (especially one dealing with critical healthcare services). The assessment can be broken into more manageable pieces with a focus on individual units or functions. This way, it will be easier to gain stakeholder support and reduce the time taken to perform the assessment
2. Identify which assets are included in the assessment: Understand what needs protecting. Do not just consider the big items such as highly valued medical devices, but also look at methods of access and connectivity. A criminal is unlikely to attack directly as this will be spotted quickly. Attacks typically come from unexpected directions.
3. Analyze the risk impact of an attack: An un-patched web server may allow access to an attacker using a code-injection attack. What risk does this pose to the business? Understanding the risk posed to the organization by a vulnerability and weighing that against other risks to build an acceptable posture is the aim of an assessment. Rate specific risks on how likely it is to occur, which helps make decisions on what needs to be changed. Then consider the impact of the risk using Confidentiality, Integrity and Availability (or CIA, that well-known cybersecurity acronym) to the organization. Cross-reference these scores for a final decision on the final impact of any given risk – allowing a decision on when/how to update.
Healthcare relies on data and so data privacy and security must be taken seriously. The sometimes-daunting investments in end-user, device and IoT protection are the start of this journey, but will be worthwhile. Having these initiatives in place is an excellent start toward building a comprehensive data protection program, helping to ensure that data is protected against evolving threats and avoiding the risk of costly penalties from a breach (not to mention retaining patient trust).