Healthcare data is some of the most personal information any of us have. In the midst of the global pandemic, many people whose information would not have entered medical systems normally are being hospitalized and data about them is being collected. With protected health information such a lucrative target for cybercriminals, are we living in a new age of identity theft and exposed secrets, or can we take steps to keep our information safe? Likewise, can our medical IT and security departments keep life-saving systems secure from attacks that could take them offline?
Living in the Past
Medical information systems tend to be slow to change with the times. There is, of course, a reason why: Caring for patients is already an intense, consuming process. Adding complexity to healthcare jobs could hinder proper care. Unfortunately, complexity is exactly what security is often perceived to be.
Common security measures include periodically changing passwords, eliminating password reuse and limiting access to applications and data. Another complication is the lack of familiarity with updated software and devices. Anything that will take time to learn is naturally going to interfere with a provider’s ability to care for their patients. With that in mind, these security measures often sound unmanageably restrictive.
Given how these security procedures can easily slow down reaction times in a high-stress situation, it makes sense that medical organizations are often slow to adopt new security procedures. The last thing we want is for a doctor or nurse to have to try multiple passwords, find the person who has access to the system or data they need or stop to remember how to use a new system. As reported in HIPAA Journal, this has essentially led to an increase from 18 significant healthcare data breaches in 2009 to 510 breaches in 2019, with breach size increasing as well. The good news is that there are ways medical information security can be improved without significantly disrupting the quality of care.
Ripples, Not Waves
There may not be a perfect solution, but there is a lot we can do without bringing our healthcare systems to a halt in a time where patient care and the need to protect medical data are both at an all-time high. The key is to make the changes with the largest impact while minimizing chaos for the users. Some of these changes include updating credential management, changing how our data is stored and transmitted and having a renewed focus on security in general. This will involve training staff in best practices, spotting and avoiding phishing attacks and setting up regular penetration testing.
These changes come with varying levels of complexity, disruption and impact. To keep the chaos from healthcare providers, application developers and IT teams must take on most of the work involved in these changes and now and moving forward. In many ways, these teams are just as responsible for patient lives as the doctors and nurses are. All it takes is one ransomware attack taking down life-saving equipment and lives are lost.
Make a Change, Save a Life
One of the easiest changes that many healthcare organizations are already adopting is to update credential management policies. This is where I would normally recommend multi-factor authentication and that is exactly what I am going to do; however, health care calls for a narrow solution path. In health care, we specifically need USB keys to keep the login process simple.
For systems that have access to patient records, a combination of USB keys and password managers should be used to ensure proper identity verification while avoiding password reuse. Single-sign-on should also be used whenever possible. Systems allowing each user to have their own credentials need to be in place to grant access where default passwords are typically used, instead of having to pull the default from a website that is available to anyone.
While healthcare staff are overworked in many areas, renewing a general focus on security is a little more difficult. Still, the best time to implement this renewed focus is now. Bite-sized security training that can be rolled into staff meetings should be developed. Making small changes over time will be easier and more successful than requiring significant changes all at once. This training should begin with password requirements, using MFA and avoiding phishing and other email attacks before moving onto more complex topics.
With healthcare data breaches increasing every year, we need to ensure that data is inaccessible to unauthorized access and that it is unusable if stolen. This means data should not be stored on individual computers but in a centralized location that can only be accessed by approved devices on the network. This potential change in location should be the only noticeable change for the user. Where this gets more complex is in storage and transit.
Data should be encrypted on the hard drive, requiring authorized access to view readable data, and should also be encrypted in transit. Some of the best options available for data encryption on the storage device are blockchain solutions. Blockchain is especially important for healthcare data due to the personal and sensitive nature of the data. We should be taking every measure possible to ensure this data does not fall into the wrong hands.
While the way forward to ensuring our PHI is properly secured may not be an entirely simple process, there are changes that easily can be made now. Even with medical staff in many places overworked, especially due to COVID cases, data breaches and ransomware can make their jobs even more difficult. This means that improving data security in medical facilities is not only critical for protecting patients but also to keep our healthcare workers from having to work even harder to provide proper care.