Healthcare Data Security – Surviving the Perfect Storm

I recently spoke at the Health Informatics Scotland conference on one of the most important and challenging issues facing Healthcare organizations today – Patient Information Security. Healthcare is essentially in the midst of “the perfect storm” of evolving security threats making it one of, if not the “most breached” industries.

This perfect storm is created by:  the move to electronic records, sharing access to records for better clinical collaboration, mobile access to this data anytime from anyplace with devices like tablets and smartphones, and capped off with increasing compliance and regulatory requirements. Adding to these challenges driven by industry transformation are the extremely well-organized and sophisticated hackers targeting the industry.  With increased enforcement and penalties we urge all healthcare related organizations to implement a security strategy immediately.

Here are some tips to help you survive this terrible storm that I presented:

(Please visit the site to view this video)

Be Aware of ePHI (including 3rd Parties) – 
Ensuring that the organization’s staff is fully trained to help stem employee negligence, in the cases of lost laptops, USB drives, or passwords left on monitors; then you will have come a long way toward preventing the most common causes of breach.

  • Staff education and training
  • Understanding of compliance requirements
  • Assume that all portable devices contain PHI
  • Proper credentialing and authorization

Mobile Device Security – According to a Ponemon study, 81 percent of healthcare providers use mobile devices to collect, store, and/or transmit some form of personal health information (PHI). But, only 49 percent of those admit they’re taking steps to secure their devices and the majority of data breaches come from a lost or stolen physical device. Clearly this is an area of opportunity to enhance efforts and prevent a potential firestorm of breaches.

  • Policies, procedures and technology – properly manage BYOD policies
  • A consistent approach to encryption including Full disk encryption

Compliance – Security can’t be a one-time event used to apply for federal incentives or examine the system – it really has to be a repeatable and sustainable process that allows for regular updates and mitigation at any point in the cycle, and this involves having a clear inventory and accounting of every element of PHI that your organization holds, whether it’s on paper or in electronic format.

  • Security Risk Analysis and threat reporting
  • Clear documentation of risk points
  • Incident response plan

Do you need help weathering this storm?

The first thing to recognize through all this is that most breaches are preventable. But to reduce the risk, you must know where your data is being stored, who has authorization to it, and where it is being sent. What’s important is to manage your data using a layered security approach, which involves monitoring information, protecting endpoints, and having real-time alerts when something’s gone awry.

Dell has developed a multi layered approach to security which provides certified, integrated and affordable solutions with reduced complexity so any healthcare entity can build a security solution that provides comprehensive protection. No single technology is able to protect against the volume and the sophistication of current and new threats that companies face. Please visit the security area of our Healthcare website or contact us if you would like help.

About the Author: Dr. Andrew Litt