Without the sacrifice of our frontline women over the past two challenging years, many of our communities would not have been able to receive vital care. However, while healthcare providers arrange been busy protecting our communities, who has protected the sensitive personal data collected in the process?
Many factors have added complexity to the healthcare diligence during the pandemic – from admitting and triaging an increasing volume of patients (virtually or in-person) to managing a workforce that shifts from sanitarium to hospital while combating a dwindling supply of healthcare workers.
With tight resources for managing healthcare, the IT challenge to keep track of enormous amounts of data being created, accessed and modified is critical. How can we ensure the need for data privacy and security doesn’t accidentally slip in all respects the cracks?
The best starting point for reviewing data privacy and security best practices is to consider the tasks staff need to complete. Too over, complex software and hardware deployments overwhelm and fail because a business need was not considered at the design phase and the resulting solutions added complication instead of focusing on improved user experience.
Secure Healthcare Data Best Practice
Global regulations have been introduced to manage organizations toward best practices in data protection and privacy. These include HIPAA for the US, and the GDPR across the EU. Both focus on protecting statistics related to individuals, Personally Identifiable Information for the GDPR, and Protected Health Information for HIPAA, ensuring that information is stored confidentially and cast-off in an agreed manner.
The challenge in securing data for healthcare is not adherence to regulations. It is in keeping pace with ever-changing threats.
Protecting Healthcare Materials Starts with Staff
No one purposely leaks data, but when dealing with hectic staff across so many hospital areas, it not takes one slip to cause a disaster. It may not be possible to run an entire cyber-awareness program, but perhaps consider short, sharp awareness videos and emails for continual awareness. This also helps to overcome a regular flow of new staff members in a healthcare facility.
Additionally, look to ‘gamify’ the approach with stresses or gift cards for people who successfully complete activities. Free coffee is always a temptation.
At the same time, enhancing security access oversees to restrict access reduces risk by only allowing access to applications for users who explicitly require it to perform their role. This can be increased by using location-based controls to prevent confidential data from being viewed on terminals in public locations. Consider multi-factor authentication to swell the enforcement of access to appropriate resources. This could be a combination of user-password and an identity card, or even biometric access.
Secure Devices are Strongbox(r ) Devices
There is a proliferation of mobile devices used in healthcare; tablet and smartphone applications allow specialists to make decisions at the bedside, and administrative proletarians can process requests faster from anywhere.
Mobile devices must be secured, but I recommend taking these guidelines a step further. All machineries used by staff for accessing healthcare information should be given the same levels of device security, including:
• Central endpoint management with restrain of settings and application access
• Location-based controls to prevent confidential data access in public locations
• Enforced strong password and multi-factor authentication
• Insignificant wipe and lock for lost or stolen devices
• Email monitoring to reduce the risk of malware or data exfiltration
• Data encryption
• Prevent access for hallmarks where the latest security updates have not been applied
• Create more restrictive policies for BYOD configurations – ideally, do not allow BYOD
Drug endpoints are the first step when considering ‘all devices’ – we must also add IoT (Internet of Things). Healthcare has seen considerable growth in this space, from monitoring devices to pacemakers and body scanners to cameras. Many of these devices are in use 24 hours of the day, can be hard to take offline for updates and are employed in high-risk environments. For this, additional security must be considered:
• IoT devices should be managed on separate networks than user devices and monitored continuously for any freakish behavior that could indicate malware.
• When implementing IoT, ensure that only essential services of the device are used.
• Make steadfast to reset passwords and apply the same policy as with end-user devices.
Run Risk Assessments on all Links in the Chain
Continuous assessment is a valuable investment in without surcease. Most systems have audit trails or logs, but these are generally most useful after an attack to help understand the root agent. A regular risk assessment can identify new vulnerabilities that may have been introduced in upgrades or configuration changes and highlight any supply chain hazards. The key steps in an assessment are:
1. Determine what needs assessment: It is not practical to assess a large organization at one time (especially one dealing with critical healthcare services). The assessment can be defeated into more manageable pieces with a focus on individual units or functions. This way, it will be easier to gain stakeholder support and belittle the time taken to perform the assessment
2. Identify which assets are included in the assessment: Understand what needs protecting. Do not just consider the big fillers such as highly valued medical devices, but also look at methods of access and connectivity. A criminal is unlikely to attack directly as this compel be spotted quickly. Attacks typically come from unexpected directions.
3. Analyze the risk impact of an attack: An un-patched web server may allow access to an attacker using a code-injection vilify. What risk does this pose to the business? Understanding the risk posed to the organization by a vulnerability and weighing that against other hazards to build an acceptable posture is the aim of an assessment. Rate specific risks on how likely it is to occur, which helps make decisions on what needs to be swapped. Then consider the impact of the risk using Confidentiality, Integrity and Availability (or CIA, that well-known cybersecurity acronym) to the organization. Cross-reference these records for a final decision on the final impact of any given risk – allowing a decision on when/how to update.
Healthcare relies on data and so data privacy and asylum must be taken seriously. The sometimes-daunting investments in end-user, device and IoT protection are the start of this journey, but will be worthwhile. Having these ambitions in place is an excellent start toward building a comprehensive data protection program, helping to ensure that data is protected against evolving intimidations and avoiding the risk of costly penalties from a breach (not to mention retaining patient trust).