You can quickly secure a medical cart on wheels with drawers by locking the cart in a storeroom or adding locking drawers but securing electronic health records is not as easy.
Hackers love to target healthcare records with sensitive personal data, including social security numbers, and more. Since the advent of mandated electronic record keeping for patients, tens of thousands of patients have had his or her records compromised.
Your healthcare facility can minimize the risk of data breeches by foresight, diligence, and a robust IT security program.
The following tips can help.
Create Robust Access Policies
Your IT section should craft clear, direct, and simple access policies for all employees to read and acknowledge. The IT section should thoroughly brief all new employees and hold regular mandatory refresher briefings annually.
Your Human Resources department should include in the employee manual the policy and require adherence to it as a condition of employment.
IT Risk Assessments
Appoint one of your IT people as the IT Security Chief. Make the person responsible for conducting regular IT security assessments.
The threat environment changes rapidly. New viruses, new hacking methods, and other threats continuously evolve. Your IT security manger must continuously assess, review, and address changes, sometimes daily. Conducting annual or quarterly assessments is not enough and may be too late to add the correct fix to prevent hackers from compromising your patient records.
Patches and Updates
Hospitals that don’t install patches and updates to their system immediately risk exploitation. Many past breeches have been the result of healthcare facilities failing to apply patches or updates in a timely fashion.
IT must have an efficient process to patch and update every device used.
Hospital administrations have a responsibility to conduct regular audits. The insider threat causes havoc as often, if not more than outside hacking attacks.
The insider threat is more insidious and can often do much more damage than outside hackers can perpetrate. Sometimes these audits may identify other problems not directly related to patient data, such as pharmaceutical problems or medication errors.
The threat may be deliberate or accidental. Conduct regular audits, using flagging software to mark suspicious activity. Encourage employees to report problems immediately.
Checking log-on records is not enough. Implement a robust audit program that checks for problems proactively. Verifying and managing aberrations early is much better than engaging in the often long and challenging investigations after the data breech or problem already occurs.
A pen test or penetration test is an excellent tool to ensure your system has stable and robust anti-hacking features.
Pen tests are expensive but worth budgeting regularly for the costs given the benefits they provide.
Don’t restrict the pen testers or “ethical hackers” as they are sometimes called, from specific areas. HR can help manage irate employees who may not like their work systems violated. Prevent hurt feelings by explaining to the employee during onboarding that he or she will be subject to regular pen tests to ensure the sanctity of patient data.
Regular Data Purges
Purge your system of unnecessary data on a regularly scheduled basis. Leaving unnecessary patient data in the system presents an excellent opportunity for a hacker to obtain reams of data that he or she otherwise couldn’t access.
If you don’t clear up unnecessary patient information, your facility is also in violation of HIPPA regulations.
Implement a Strong BYOD Policy
BYOD or Bring Your Own Device has become a standard policy addition to rapidly evolving hospital and work environments. BYOD helps keep budgets under control since the facility can cutback on the number of computers or readers required.
Sometimes a laptop on a mobile cart may not be hospital property, depending on the type of facility and budget.
If you do allow BYOD, your policy must include strong security for any personal devices used in your clinic.
Many hospitals require IT inspection and approval of personal devices, including specific anti-viral and anti-ransomware software installations. Data encryption software works well along with appropriate monitoring by responsible hospital officials.