Protecting Patient Data in Healthcare - How to be Secure & Compliant

By PokitDok Team,

Hacking, data breaches, and personal information leaks are having a big impact on the healthcare industry — and negligence is as much at fault as any hacker's malicious intent.

Eric Wicklund at mHealthNews is reported saying that the healthcare industry's data is breached almost every week. These breaches don't just put our data at risk; they damage reputations, are time-consuming, make recovery difficult, and often result in large fines.

The organizations we trust with our most personal information need to take strong, proactive, effective, and secure steps to keep our records safe. It's vital to understand how we got here, and what PokitDok and other healthcare businesses are doing to solve the problem.

It Starts With Negligence

Even with those trying to illegally access our data, the organizations that store and transmit our medical information are often prone to negligence.

One IT error by Systems Software resulted in up to 1.5 million medical records being exposed online. A “contractor's mistake” resulted in drug tests, detailed doctor visit notes, and social security numbers being made publicly available on Amazon Web Services, according Kate Knibbs' Gizmodo article.

Better training and vetting of IT staff, combined with doublechecks on completed work, would lead to fewer mistakes and more reliable security protecting our records.

In another instance, American health insurer Centene Corp, lost six hard drives full of patient information. Some 950,000 sensitive customer records were affected by the breach. This included customers' names and addresses, dates of birth, Social Security numbers, and health information, according to The Register's Darren Pauli.

So what can we do to proactively protect what is arguable our most valuable asset? First, a bit of context:

Why Are Hackers Trying to Steal Healthcare Records?

A report from the Ponemon Institute noted that criminal attacks are the primary cause of healthcare data loss. Cyber criminals take advantage of two things about the healthcare industry:

  1. Organizations manage a treasure trove of financially lucrative personal information
  2. They may not have the resources, processes, or technology to detect attacks and protect healthcare data

Hackers are becoming more and more sophisticated while organizations are dealing with huge amounts of data across multiple systems in addition to legacy infrastructure.

It's Costing a Fortune for the Healthcare Industry

Medical identity theft is becoming a bigger problem than general identity theft, according to Paul Syverson, one of the founders of The Dark Web. The Brookings Institute agrees, saying that more than 155 million Americans have potentially had their medical data exposed in the last six years.

Hacking and intentional breaches are also on the rise. 2015 saw more than 94 million electronic medical records compromised, according to Paige Cunningham in a Washington Examiner article. The American Action Forum estimates that breaches since 2009 have cost the healthcare system more $50 billion.

The scale and severity of this situation are only part of the problem, though. Finding the right solution is an entirely other matter. What can organizations do to help safeguard against these increasing threats? To start, the industry needs to agree to and constantly evolve a rigorous set of security standards and principles. We need to get ahead of the threats - which isn't easy with inconsistent tech and old process.

Strong Data Security Principles Need to Apply Across the Healthcare Industry

Becker's Health IT & CIO Review says that while there are big advantages for patients and physicians using telehealth and web conferencing, protecting information from accidental breaches and cyberattacks is essential. That protection comes from a laser-focus on security.

Security principles, technologies, and best practices need to be hard-baked into every part of an organization. It's not enough to just have a security department. Every employee has a responsibility to protect data as well.

It's not only one organization or company, either. The healthcare industry as a whole needs to embrace these changes. Companies must demand rigorous data protection from the inside out - including partners and contractors, even if regulations like HIPAA don't apply. Attention to security can't be a reactive rule follow - healthcare has to internalize the reason why these rule sets exist and build everything from software to personnel processes with security and compliance in mind.

PokitDok Is Leading the Way in Protecting Medical Data

PokitDok's team designed our system so there's no single point of failure. We are HIPAA compliant, and all data is encrypted, whether it's in our hands or in transit. Security is critical and built into services including the scheduling solution and the PokitDok Identity Management System.

Our emphasis on strong, encrypted data security also applies to the companies we work with. PracticeSense uses sophisticated, state-of-the-art security protocols to encrypt communications with users. Doctor On Demand stores every piece of patient information — clinical notes, medical records, everything — on encrypted servers.

It's a Challenge the Healthcare Industry Can (and Must) Face

The final word goes to Maria Korolov at CSO Online, who recognizes that healthcare organizations face unique security challenges. This includes training personnel to access and use medical records appropriately and avoid social engineering.

Putting effective security measures in place — both internally and with business partners — is critical to ensuring the safety of medical information. All areas are affected and deserve the highest security measures: accessing information on mobile devices, transferring data to and from medical equipment, and the transmission of information between data networks. When the healthcare industry as a whole makes a committed effort to improving security, our medical information will be that much safer.

images by: Nick Karvounis, Michael Schwarzenberger, kewl

The opinions expressed in this blog are of the authors and not of PokitDok's. The posts on this blog are for information only, and are not intended to substitute for a doctor-patient or other healthcare professional-patient relationship nor do they constitute medical or healthcare advice.

  Tags: Enterprise, Security

Be the first to write a comment.

Your feedback