As the number of stories about data security breaches in the medical field increase, providers and their colleagues – particularly those in smaller medical practices without the dedicated support of IT and data security professionals – must regularly review and update their policies and procedures to ensure that their patients’ data is secure.
Just last week The Daily Beast Reported that a prominent plastic surgeon in London had been hacked by a group known as The Dark Overlord, who stole clinical photographs from the surgeon’s office network and threatened to post them online. Healthcare IT News has published 40 of the largest (not the only) healthcare breaches that have occurred thus far in 2017, further illustrating both the increasing frequency and costs associated with medical data breaches.
For those practitioners who found any of the recent hacks to be a wake-up call, here is some practical advice and some – not all – tips to help keep your patient data and clinical images secure.
The Human Factor:
This is by far the weakest link in data security. Think here about staff members writing their passwords on stickies attached to their monitors, sharing account passwords, using simple dictionary passwords or the same password for multiple accounts. If this sounds familiar to you, make this the time you commit to stop doing it. Unfortunately, the only cure for this is vigilance, training (for your team) and audits.
But the human factor also includes issues such as others guessing your passwords, others stealing your or your colleague’s user credentials and impersonating you, internal attacks (by disgruntled employees, for example), over-the-shoulder password “surfing” and so on. Remember, hackers are people too! And if they feel that you are a valuable enough target there is nothing preventing them from setting up a consultation solely for the purpose or opportunity to see if they catch you typing in your username or password into a computer or mobile device.
The best, if not the only way, to manage these kinds of attacks is with user training, and the best place to start is with two words: Password Strength. For some tips on how to increase the strength of your passwords click here. Next, don’t leave your devices (mobile phones, tablets or computers) unattended, be aware of who might be watching you type in your passwords, and be sure to logout after you are done, especially if you have certain devices that you share with others.
Encrypt Your Data
1. Whether you are storing data on your own network or using third-party firms to host your data. Ensure that data at rest and data in transit is always encrypted. You can do this by checking with your data storage/cloud services provider to be sure that they encrypt data at rest (in storage) and data in transit. It is simple to verify that data is encrypted in transit for web-based applications: make sure the web address displayed in the web browser begins with “https:” and that web browser displays a “Secure” indicator next to the web address.
2. Require that every request to your network or your providers is authenticated, and locks out a user for some period of time (at least a few hours or more) if they try unsuccessfully to log in for a given number of attempts (no more than 3 or 4 attempts, to be on the safe side). This will help to protect you against so-called “denial-of-service attacks” (DoS attacks), where hackers try to prevent you from accessing your computers or network by bombarding you with unnecessary requests that overload your system.
Encrypt Usernames and Passwords
3. Make sure that you and your providers store usernames and passwords in an encrypted format and confirm that passwords are never decrypted. If passwords are stored unencrypted by your service provider or an application you use, they will be exposed during data breach. It is also a good idea to have audit logs that track who logs into the system and also tracks the requests made by any user. This can help you to identify if one of your employees is doing something that they shouldn’t be doing, and also helps to identify the source of a data leak if an employee’s user credentials turn out to have been used by someone else.
Data Security Cyber Insurance
4. Consider purchasing data breach insurance, which can protect you and support you with things like covering the cost of a ransomware attack, forensic investigations, and support for affected customers, among others. And you should ensure that your providers, if they are storing patient data for you, have (and can show you if asked) data breach and cyber liability insurance policy as well.
Audit Third Party Vendors
5. Confirm with application vendors and service providers that they do not store any PII (personal identifiable information) or PHI (personal healthcare information), documents, reports, or images on computers and devices that utilize their services. If a device is compromised, hackers will gain access to this information.
On a final related note, it should be mentioned that whenever you disclose protected health information (PHI) to a vendor – such as a cloud storage company or even a mobile app that handles PHI for you – a Business Associate Agreement (“BAA”) is needed to ensure compliance with HIPAA and to help protect the information you are disclosing. If you are in the United States, ask your service and app providers to sign a BAA. If they are unwilling to do so this should be an immediate red flag.
Remember, while the topic of data security often conjures up notions of obscurity and complexity, there are clear, simple steps that you can take to make it harder for a bad actor to gain access to your data. Given the number of relatively easy targets that are out there, just raising the bar on the level of security that you provide by a few steps is enough to send the bad guys looking elsewhere.
About The Author
Freddy is the CEO of Epitomyze Inc., a team of healthcare and medical imaging experts devoted to revolutionizing the role of clinical photography in medicine. Our premier service is Epitomyze Cloud™, a state-of-the-art cloud-based, digital-asset storage and management solution for image data. The service can be accessed through secure credentials from any device, and can be paired with our sophisticated Epitomyze Capture™ app.
Freddy is passionate about the subject of digital imaging in medicine and the role that clinical photography can play in improving the quality of care for patients. Follow him on Twitter: @epitomyze.