Feature | Cybersecurity | August 05, 2014| Lysa Myers

How Can Doctors Practice Better Security?

Being lax with security can have a long-lasting impact on all patients

There are rising concerns over cyber security and how to enforce HIPAA and allow the securing medical information.
Did you know that medical data on 20,000 people could be exposed to abuse today? According to the U.S. Department of Health and Human Services (HHS), that is the number of people whose protected health information was breached per day on average in 2013. While healthcare practitioners may not realize the value of the data in their care, criminals certainly do. Clinicians and nurses may feel wary of cybersecurity measures that might slow them down, but there are ways to improve security that will not cost precious moments in an emergency situation. Being lax with security can have a long-lasting impact on all of your patients, not just those with emergencies.
 
What Motivates Cyber Criminals?
You may be wondering what data healthcare practitioners have that is all that interesting to criminals. Are people really profitting by stealing records of little Johnny’s ear infection? Not necessarily, though insurance fraud and blackmail certainly do happen. It’s less often the specific details of treatment, but rather the treasure trove of information that electronic health records (EHR) contain that can be sold on the black market to perpetrate identity theft and financial fraud. While federal rules and regulations (namely the Health Insurance Portability and Accountability Act of 1996, or HIPAA) exist to help healthcare practitioners protect data, compliance with those rules does not necessarily equate with security. 
 
Most of us think retail stores are the obvious choice for cyber criminals looking to wreak financial havoc. While Target retail stores stole the data hijacking headlines late last year, only 13 percent of the reported breach incidents in 2013 were in the retail sector, while 45 percent were in the medical field, according to Privacy Rights Clearinghouse (PRC). According to the HHS “Wall of Shame” where HIPAA violations are reported, more than 30 million records have been exposed between September 2009 and June 2014. 
 
Obviously credit and debit card information is useful for criminals, and most doctors’ offices and insurance companies accept both forms of payment from patients. But electronic health records may include other information that is useful to criminals as well. 
 
Social Security numbers are often required for insurance purposes, and these can be used to steal a person’s identity, which can be a lot more problematic to correct than someone stealing your credit card. Physicians and insurance companies also gather a patient’s name, physical address, phone numbers and maybe an e-mail address. The black market for this sort of information is mature and robust, and criminals can expect a big payday if they target healthcare providers that are unprepared and unaware of the value of the information they are storing.
 
 
Now What?
The bad news is that breaches are a very real and scary thing. The good news is that there are simple things you can do, as a healthcare practitioner, to protect that important data. Here are a few things that will help you improve your security without impeding your ability to respond to patients quickly.
 
Update early and often: Regular updates of all software is one of the most important things you can do to minimize the vulnerabilities criminals use to get into your machines. And, vendors often provide updates at no cost to you. When you get a notice from your vendor, be sure to go directly to the vendor’s website or a reputable app store to get the update as soon as possible. Some malware will pretend to be a software update warning, so this is an important step. Do not let that nagging update notice go unheeded.
 
Create layered defenses: While your security department may have robust protection for your network, mobile devices and cloud computing can make boundaries very foggy. It is important to protect data, as well as devices. Do not expect that because your company has security products that this will protect you against everything. Many times lost or stolen devices or login credentials are all criminals need to get into a network. Make sure you have a good quality anti-malware suite, including a firewall, on all devices that you use to access or discuss healthcare information (do not forget Android tablets, Mac computers and Windows machines). Be sure to keep your security software and malware definitions updated. Any important data should be encrypted both in storage and any time it leaves your machine, such as via e-mail or on devices such as smartphones or USB sticks. Do not discuss patient information on unencrypted channels such as SMS texts.
 
Go beyond passwords: If you are protecting a lot of patient data, a password alone may not be enough. Consider implementing two-factor authentication. This can be a biometric such as a fingerprint or a one-time passcode that is provided via a small digital key card or fob, or even a smartphone app. You can also increase your password security by upgrading your password to a passphrase — a short sentence is much more difficult to crack than a single word, and it can still be easy to remember. Each of your digital devices should be protected with a passcode or biometric, with a short time-out setting. That way, if one falls into the wrong hands, the data is not easily accessible.
 
Choose to protect your own device: Having the ability to use a mobile device to check on your work-related information whenever and wherever you are is a huge boon for responsiveness. But it also leads to a host of problems, as those devices are easily misplaced and they are less apt to be protected from malicious access. More and more offices are offering employees the choice of a mobile device, one that IT staff can scan for problematic apps or links, or remotely wipe in case the device is lost or stolen. If you are not offered this, you can still get many of the benefits with free or low-cost apps. Anti-malware scanners on Android devices can help you avoid problematic apps and links, and device-finder apps that can also wipe data from lost devices are available for all smartphone operating systems.
 
Practice the principle of least privilege: The principle of least privilege simply means that no person, machine or system should have access to things they do not strictly need. For instance: If you use a personal device at work and at home, you can create a separate profile for each location. And if you share that device with other people in either place, you can create a separate guest account that does not have access to your sensitive information.
 
Encrypt everywhere: As said earlier in the “layered defenses” tip, encrypting is a very simple and effective way to safeguard data. When we have something that is valuable, we lock it up when it is not in use. The same is true with data; valuable information should be encrypted whenever it is not directly in use. That means when it is in storage, it should be encrypted. When it is being accessed or sent over the network, it should be through an encrypted connection. Having encryption from “end to end” minimizes criminals’ ability to get any useful data, even if they do manage to breach your other defenses.
 
Watch out for leaky data: Wi-Fi is becoming a fact of life — there are free hotspots available wherever you go these days. But that public Wi-Fi can be an easy way for attackers to eavesdrop and snag your data in transit if it is not properly secured. It is best, if you are using Wi-Fi when you are out and about, to avoid accessing or transmitting sensitive information. If you do need to do so, it is very important to make sure the connection is encrypted. Using a VPN can help you create a private network connection between your own personal devices and work resources. When connecting to the Internet or office network from unfamiliar places, consider using your smartphone’s 4G connectivity or a 4G hotspot instead of sketchy public Wi-Fi.
 
Good security should not make doing your job impossible: With a variety of small changes, the effect on your ability to do work should be negligible. And the effect of maintaining your patients’ trust by protecting their data will certainly make your job easier. 
 
Editor's note: Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. She enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.
 

Related Content

Scranton Gillette Communications Names Diagnostic and Interventional Cardiology Group Publisher and Integrated Media Consultant

Diane Vojcanin (left) was named vice president, group publisher, healthcare group, overseeing Imaging Technology News (ITN) and Diagnostic and Interventional Cardiology (DAIC). Andreja Slapsys (right) was named a healthcare group integrated media consultant.

News | Cardiovascular Business | September 06, 2019
Business-to-business communications company Scranton Gillette Communications has named Diane Vojcanin as vice president...
FDA Opens Proposal Solicitation Period for 2020 Experiential Learning Program
News | Cardiovascular Business | July 17, 2019
The U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) announced the 2020...
The Current Direction of Healthcare Reform Explained by CMS Administrator Seema Verma
News | Cardiovascular Business | June 11, 2019
Centers for Medicare and Medicaid Services (CMS) Administrator Seema Verma addressed the American Medical Association (...
DAIC Earns Azbee National Bronze Award for Social Media Presence
News | Cardiovascular Business | May 10, 2019
May 10, 2019 — Diagnostic and Interventional Cardiology (DAIC) earned a Bronze Award at the 2019 Na
Cath lab staff working as a team to prepare for a procedure at Presbyterian Medical Center Cardiac Cath Lab, Charlotte N.C. Pictured are Barry Horsey RCIS, Emily Luna RN, RCIS, Adam Martin RCIS, Caleadia Jessup RN.

Cath lab staff working as a team to prepare for a procedure at Presbyterian Medical Center Cardiac Cath Lab, Charlotte N.C. Pictured are Barry Horsey RCIS, Emily Luna, RN, RCIS, Adam Martin, RCIS, Caleadia Jessup, RN.

Feature | Cardiovascular Business | May 03, 2019 | Ruben Filimonczuk, RCES, AS-PMD
One of the most promising areas for innovation in healthcare is to be found in the workforce – both in hiring and ret
Fail-safe Program for New Medical Technology Focuses on Patient Safety
News | Cardiovascular Business | April 29, 2019
New medical technology offers the promise of improving patient care, as well as the potential for harm if caregivers...
Medicare Trustees Report Hospital Insurance Trust Fund Will Deplete in Seven Years
News | Cardiovascular Business | April 22, 2019
The Medicare Hospital Insurance (HI) Trust Fund, which funds Medicare Part A, will only be able to pay full benefits...
Videos | Cardiovascular Business | April 16, 2019
A discussion with Ruth Fisher, MBA, vice president of the...
Foreign-trained doctors now make up one-third of cardiologists in the United States and help make up for the U.S. overall shortage of physicians. Pictured here is co-author of this article Mandeep R. Mehra, MBBS, MSc, FRCP, who is an example of the contribution international physicians have made in the U.S. He is medical director of the Brigham and Women’s Hospital Heart and Vascular Center.

Foreign-trained doctors now make up one-third of cardiologists in the United States and help make up for the overall shortage of physicians. Pictured here is co-author of this article Mandeep R. Mehra, MBBS, MSc, FRCP, who is an example of the contribution international physicians have made in the U.S. He is medical director of the Brigham and Women’s Hospital Heart and Vascular Center, The William Harvey Distinguished Chair in Advanced Cardiovascular Medicine, and a professor of medicine at Harvard Medical School. He is past-president of both the Heart Failure Society of America and the International Society of Heart and Lung Transplantation. 

Feature | Cardiovascular Business | April 15, 2019 | William W. Pinsky, M.D., FAAP, FACC, and Mandeep R. Mehra, MBBS, MSc , FRCP
As we strive to process today’s successive news cycles involving negative reports about immigration, it is easy for m
Overlay Init