Feature | Cybersecurity | August 05, 2014| Lysa Myers

How Can Doctors Practice Better Security?

Being lax with security can have a long-lasting impact on all patients

There are rising concerns over cyber security and how to enforce HIPAA and allow the securing medical information.
Did you know that medical data on 20,000 people could be exposed to abuse today? According to the U.S. Department of Health and Human Services (HHS), that is the number of people whose protected health information was breached per day on average in 2013. While healthcare practitioners may not realize the value of the data in their care, criminals certainly do. Clinicians and nurses may feel wary of cybersecurity measures that might slow them down, but there are ways to improve security that will not cost precious moments in an emergency situation. Being lax with security can have a long-lasting impact on all of your patients, not just those with emergencies.
 
What Motivates Cyber Criminals?
You may be wondering what data healthcare practitioners have that is all that interesting to criminals. Are people really profitting by stealing records of little Johnny’s ear infection? Not necessarily, though insurance fraud and blackmail certainly do happen. It’s less often the specific details of treatment, but rather the treasure trove of information that electronic health records (EHR) contain that can be sold on the black market to perpetrate identity theft and financial fraud. While federal rules and regulations (namely the Health Insurance Portability and Accountability Act of 1996, or HIPAA) exist to help healthcare practitioners protect data, compliance with those rules does not necessarily equate with security. 
 
Most of us think retail stores are the obvious choice for cyber criminals looking to wreak financial havoc. While Target retail stores stole the data hijacking headlines late last year, only 13 percent of the reported breach incidents in 2013 were in the retail sector, while 45 percent were in the medical field, according to Privacy Rights Clearinghouse (PRC). According to the HHS “Wall of Shame” where HIPAA violations are reported, more than 30 million records have been exposed between September 2009 and June 2014. 
 
Obviously credit and debit card information is useful for criminals, and most doctors’ offices and insurance companies accept both forms of payment from patients. But electronic health records may include other information that is useful to criminals as well. 
 
Social Security numbers are often required for insurance purposes, and these can be used to steal a person’s identity, which can be a lot more problematic to correct than someone stealing your credit card. Physicians and insurance companies also gather a patient’s name, physical address, phone numbers and maybe an e-mail address. The black market for this sort of information is mature and robust, and criminals can expect a big payday if they target healthcare providers that are unprepared and unaware of the value of the information they are storing.
 
 
Now What?
The bad news is that breaches are a very real and scary thing. The good news is that there are simple things you can do, as a healthcare practitioner, to protect that important data. Here are a few things that will help you improve your security without impeding your ability to respond to patients quickly.
 
Update early and often: Regular updates of all software is one of the most important things you can do to minimize the vulnerabilities criminals use to get into your machines. And, vendors often provide updates at no cost to you. When you get a notice from your vendor, be sure to go directly to the vendor’s website or a reputable app store to get the update as soon as possible. Some malware will pretend to be a software update warning, so this is an important step. Do not let that nagging update notice go unheeded.
 
Create layered defenses: While your security department may have robust protection for your network, mobile devices and cloud computing can make boundaries very foggy. It is important to protect data, as well as devices. Do not expect that because your company has security products that this will protect you against everything. Many times lost or stolen devices or login credentials are all criminals need to get into a network. Make sure you have a good quality anti-malware suite, including a firewall, on all devices that you use to access or discuss healthcare information (do not forget Android tablets, Mac computers and Windows machines). Be sure to keep your security software and malware definitions updated. Any important data should be encrypted both in storage and any time it leaves your machine, such as via e-mail or on devices such as smartphones or USB sticks. Do not discuss patient information on unencrypted channels such as SMS texts.
 
Go beyond passwords: If you are protecting a lot of patient data, a password alone may not be enough. Consider implementing two-factor authentication. This can be a biometric such as a fingerprint or a one-time passcode that is provided via a small digital key card or fob, or even a smartphone app. You can also increase your password security by upgrading your password to a passphrase — a short sentence is much more difficult to crack than a single word, and it can still be easy to remember. Each of your digital devices should be protected with a passcode or biometric, with a short time-out setting. That way, if one falls into the wrong hands, the data is not easily accessible.
 
Choose to protect your own device: Having the ability to use a mobile device to check on your work-related information whenever and wherever you are is a huge boon for responsiveness. But it also leads to a host of problems, as those devices are easily misplaced and they are less apt to be protected from malicious access. More and more offices are offering employees the choice of a mobile device, one that IT staff can scan for problematic apps or links, or remotely wipe in case the device is lost or stolen. If you are not offered this, you can still get many of the benefits with free or low-cost apps. Anti-malware scanners on Android devices can help you avoid problematic apps and links, and device-finder apps that can also wipe data from lost devices are available for all smartphone operating systems.
 
Practice the principle of least privilege: The principle of least privilege simply means that no person, machine or system should have access to things they do not strictly need. For instance: If you use a personal device at work and at home, you can create a separate profile for each location. And if you share that device with other people in either place, you can create a separate guest account that does not have access to your sensitive information.
 
Encrypt everywhere: As said earlier in the “layered defenses” tip, encrypting is a very simple and effective way to safeguard data. When we have something that is valuable, we lock it up when it is not in use. The same is true with data; valuable information should be encrypted whenever it is not directly in use. That means when it is in storage, it should be encrypted. When it is being accessed or sent over the network, it should be through an encrypted connection. Having encryption from “end to end” minimizes criminals’ ability to get any useful data, even if they do manage to breach your other defenses.
 
Watch out for leaky data: Wi-Fi is becoming a fact of life — there are free hotspots available wherever you go these days. But that public Wi-Fi can be an easy way for attackers to eavesdrop and snag your data in transit if it is not properly secured. It is best, if you are using Wi-Fi when you are out and about, to avoid accessing or transmitting sensitive information. If you do need to do so, it is very important to make sure the connection is encrypted. Using a VPN can help you create a private network connection between your own personal devices and work resources. When connecting to the Internet or office network from unfamiliar places, consider using your smartphone’s 4G connectivity or a 4G hotspot instead of sketchy public Wi-Fi.
 
Good security should not make doing your job impossible: With a variety of small changes, the effect on your ability to do work should be negligible. And the effect of maintaining your patients’ trust by protecting their data will certainly make your job easier. 
 
Editor's note: Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. She enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.
 

Related Content

American Heart Association and The Joint Commission Merge Cardiac Certification Programs
News | Cardiovascular Business | October 15, 2018
The nation’s two leading cardiac accreditation and certification organizations are joining forces to offer a single...
A hands-on-training session at TCT 2018 that instructed interventional cardiologists how to use an intra-cardiac echo (ICE) catheter to image the chambers inside the heart with a catheter based ultrasound imaging system.  The training area was sponsored by Siemens Healthineers

A Siemens-sponsored hands-on-training session at TCT 2018 that instructed interventional cardiologists how to use an intra-cardiac echo (ICE) catheter to image the chambers inside the heart with a catheter based ultrasound imaging system.  Regular training is needed to build customer satisfaction, especially in light of regular staff turnover.

Feature | Cardiovascular Business | October 10, 2018 | John Larson
Years ago, I owned a computer that ran a spreadsheet program called Lotus 1-2-3.
ZHealth Launches Etch Cardiovascular Coding Software
Technology | Cardiovascular Business | October 10, 2018
October 10, 2018 — Medical coding software provider ZHealth recently unveiled Etch, the first-ever software platform
GlobalData: Amazon Poised to Make Huge Strides in Healthcare
News | Cardiovascular Business | August 31, 2018
A new report from data and analytics company GlobalData suggests that Amazon is poised to make huge strides in...
CMS Proposes Overhaul of Medicare's Accountable Care Organization Program
News | Cardiovascular Business | August 09, 2018
The Centers for Medicare & Medicaid Services (CMS) issued a proposed rule August 9 that would overhaul the Medicare...
ECRI Institute Announces New Clinical Guideline Repository Website
News | Cardiovascular Business | July 27, 2018
July 27, 2018 — Following the deactivation of the National Guideline Clearinghouse (NGC) by the Agency for Healthcare
FDA Releases New Report Assessing Quality, Safety and Effectiveness of Medical Device Servicing
News | Cardiovascular Business | June 07, 2018
A new report from the U.S. Food and Drug Administration (FDA) discusses the continued quality, safety and effectiveness...
DAIC Editor Dave Fornell won the 2018 AZBEE national silver award for best blog for "The Future of Cardiology: 17 Technologies to Watch. DAIC magazine - diagnostic and interventional cardiology magazine.
News | Cardiovascular Business | May 14, 2018
May 14, 2018 — Diagnostic and Interventional Cardiology (DAIC) magazine was honored with a ...
FDA Announces New Medical Device Safety Action Plan
News | Cardiovascular Business | April 25, 2018
The U.S. Food and Drug Administration (FDA) released a new Medical Device Safety Action Plan outlining how the agency...
DAIC Wins Two 2018 Regional Azbee Awards for Editorial Excellence
Feature | Cardiovascular Business | April 20, 2018
Diagnostic and Interventional Cardiology was honored with a pair of Azbee Awards for editorial excellence at the 2018...
Overlay Init