It’s impossible to deny the impact of digitization in all aspects of life, and this includes the healthcare industry. While the use of digital patient records has its conveniences, the risk of cyber threats can not be overlooked. Online security is not only for ecommerce and financial online spaces. A patient’s medical records are private and confidential and should be protected at all costs.
Data protection protocols in the USA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that came about to ensure the privacy and protection of all covered entities. These covered entities include not just individuals but all healthcare providers, health plans, healthcare clearinghouses and business associates. Business associates are all people that need to use or disclose patient information to perform their tasks, including claims processing, billing etc.
The HIPAA offers guidelines on how to protect patient health information. In order to be HIPPA compliant, there are a number of rules that have to be complied with:
Two factor authentication:
All user accounts must be protected with two factor authentication. Two factor authentication includes an extra layer of protection over a standard password, this includes an authentication code that must be entered at the time of logging in.
All patient data should be encrypted at the point of collection and when sent to the server.
Ensure that users are logged out after a period of inactivity.
Remote Data clearing:
In the case of a stolen or lost device, provide the ability to remotely erase all sensitive data on the device.
All apps and software must be regularly tested and updated to plug any security vulnerabilities.
Allow for regular data backups and data restoration in the event of a security breach or data loss.
What kind of information is protected?
A patient’s Protected Health Information (PHI) or ePHI – Electronic Protected Health Information includes their personal details like name, residential and postal address and phone number as well as digital identification like email addresses; IP addresses; MAC addresses or website URLs.
Any other unique identifying numbers like a social security number, a national identity number, passport, VIN or medical account number are also protected under the HIPAA laws.
Biometric information in the form of fingerprints, retina scans, x-rays and any other photos must also be kept private and secure.
Why is patient privacy important?
In order for the medical sector to remain respected, the integrity of all patient’s data must be kept confidential and secure.
Trust: Trust is at the foundation of the medical industry. A patient shares intimate information with their doctor. If a patient felt their information was not going to be held in strictest confidence, this would hamper open honest communication – which would hamper the diagnostic and healing process.
Digital Hacking: With the increased reliance on cloud applications and data storage, we create a bigger target for hackers to gain access to the information. Studies have shown that cyber attacks have increased over 125% since 2010. While stolen credit card information can obviously be misused for financial gain, stolen personal information can in turn be used in identity theft and fraud cases which have longer and more substantial effects and can, and often does, destroy many lives.
Legal action: In the case of a data breach, the company can be held legally responsible resulting in fines and even prison sentences.
10 important considerations for privacy and security in healthcare
1. Educate all staff
The most hi-tech systems and protocols are worth nothing if the people are not informed and trained to implement and maintain all privacy and security protocols. Often working in stressful situations, it is extremely easy for human error to creep into the process. It is important that all parties are aware not only of the rules and regulations, but also all the consequences of their actions. Protecting patient privacy is a part of providing proper healthcare.
2. Access control
Ensure healthcare data protection by limiting access to any patient data or any applications with access to confidential data. Patient records should only be accessible to people that require it to perform their function. Online security methods like multi-factor authentication should be implemented on all systems to reduce the risk of unauthorised access. Additional authorization methods include One Time Pin (OTP) or biometrics like facial recognition or fingerprint scanning.
3. Data usage control
Additional restrictions can be added to systems to ensure that data is used only as required. Certain functions can be disabled while accessing sensitive user data i.e the inability to download data, or take screenshots or print.
4. Usage logs
It is a good idea to keep an audit log of all users that have logged in and accessed sensitive data. By keeping records of dates and times, as well as specific areas of data accessed, it is possible to pinpoint areas of concern should there be any security issues.
5. Encrypt data
Encrypting data at the point of input and during transmission makes it harder for any hackers to intercept the data and decipher the contents. HIPAA encourages the use of data encryption but it does not dictate what and how. Any industry standard algorithm like AES would be deemed sufficient. HIPAA leaves the decision of when and how to encrypt the ePHI to the healthcare organizations.
6. Secure mobile devices
With the increased use of mobile devices and apps, it is important that any healthcare organizations or patient using a mobile device during the process of giving or receiving medical treatment does so with security and data protection compliance in mind.
- • All devices should be updated regularly to ensure security technologies are up to date. Virus protection to detect malware and other vulnerabilities is mandatory.
- • In the case of device theft, devices must be protected with strong passwords.
- • Users should be able to remotely delete any sensitive data off their phones should the phone get stolen or lost.
- • All application data should be encrypted.
7. Mitigate connected device risks
- • Connected devices on public networks and the Internet are at a higher risk for cyber attacks. Ideally all sensitive data should be accessed from within a private network. All security protocols like firewalls etc should be in place.
- • Passwords should be strong and changed frequently.
8. Conduct regular risk assessments
With the ever changing risk ecosystem – it is important that all software applications and devices are continuously monitored to ensure the integrity of the system and the related user data. Evaluation risks allows for proactive risk assessment and any loopholes and vulnerabilities can be quickly identified and fixed.
9. Data backup
Attacks can take many forms. Oftentimes data is wiped and companies are held to ransom. In order to get their data back, companies are required to pay exorbitant amounts of money. If regular backups are done with offsite storage, a company protects itself from such a situation. A cyber attack can also corrupt data, rendering it useless to the healthcare providers.
10. Evaluate security and compliance of all persons involved
With so many people involved in the healthcare pipeline it is important to constantly evaluate and determine all the people who have access to sensitive data, and reconsider their access as and when roles change. Business entities and vendors that have in the past been compliant, may have new people who fail to comply with security requirements.
What is the difference between privacy, confidentiality and security of health information?
Privacy policies determine how confidential data can be accessed by authorized sources.
Security is the practical measures implemented to protect the information.