Predictions are popular among experts in all fields, despite the risks of getting them wrong. One of 2017’s most alarming forecasts was a claim from Experian Data Breach Resolution that healthcare organizations would be heavily targeted by cyber criminals.
Was it a good prediction? Sadly, yes. Endpoint security firm Cylance released in May 2018 a threat report that found ransomware attacks tripled in 2017 – and the healthcare industry bore the brunt.
With that in mind, how can organizations store their data so it’s safe, secure and available? Every day, health organizations generate huge volumes of sensitive data, such as test results, patient reports, scans and images. What’s the best way to secure all that information?
Firewalls and antivirus software are no longer enough. They’re standard protection measures across most industries and organizations, but with hackers becoming more sophisticated in the way they breach security, they risk being overwhelmed. ‘Border control’ needs to be complemented by internal segmentation firewalls and solutions that limit the spread of damage when an attack occurs.
Healthcare professionals are becoming increasingly mobile, which makes phones, tablets, laptops, USB drives, printers and other mobile devices a security risk. By encrypting all devices that contain patient data, organizations reduce the risk that information will fall into the wrong hands. Supplement these measures with good security practices, such as implementing two-factor authentication, to add an extra layer of safety.
As industries become ecosystems of interlocking service providers, data sources, users and other partners, managing third- and even fourth-party risk becomes critical. Conducting third-party security checks is time-consuming but essential. And it can’t be a one-off event; you must put systems in place to monitor their compliance and overall security posture.
They can’t steal it if you don’t have it –reducing the amount of data that you have stored can be a very effective security measure. Creating a data hygiene policy and providing staff with specific guidelines regarding what information is to be kept, and how to securely delete information that’s surplus to your needs, will go a long way to protecting patients. Always ensure, of course, that you remain in accordance with any regulation regarding the minimum retention periods for patient data, as well as other regulations like the EU’s General Data Protection Regulation (GDPR).
It’s not just patient data that’s at risk; sadly, medical devices like pacemakers, monitoring tools and other equipment can also be infiltrated. Security on such devices is often overlooked, so be sure to change passwords, control access and lock them down as securely as possible.
As the security experts say, it’s not a matter of ‘if’ you’ll be attacked, it’s a matter of ‘when’. Even with a safety net of features in place to protect your organisation’s security, you need to be ready to respond if you’re attached. This includes putting in place backup and disaster recovery regimes, ensuring you can respond to a security incident 24×7, and having a communications plan – covering patients, staff, and all relevant medical, regulatory and law enforcement bodies.
The consequences of a medical data breach are wide-ranging, impacting both organizations and patients – making a comprehensive network for protecting that data essential.