[BreachExchange] 5 Ways Providers Can Prevent Patient Data Breaches

[Audrey McNeil]

http://hitconsultant.net/2016/05/30/34095/

2015 was unsurprisingly the year with the highest-profile healthcare data
breaches to-date. With more and more patient information being transferred
and stored digitally it’s a trend likely to continue for many years to
come. Clinics, doctors offices, insurers and hospitals, however, are
equally increasing their measures in fighting back.

Similar to money and jewels, no data is completely immune from unauthorized
access so long as legitimate access is granted to specific people. That
doesn’t mean systems can’t attain near 99.9% success. To achieve it,
healthcare providers are adhering to the following measures:

1. Keep business associates in line: Medical providers depend on a large
network of companies and services to have the tools and means to deliver
successful treatments and cures. Many of the immediate business associates
of clinics, doctors, and hospitals must be held accountable for the safety
and security of data. This is achieved through relevant business associate
agreements.

2. Separate wireless networks: It may sound obvious to someone “tech-savvy”
but it’s surprising how many healthcare providers (usually smaller clinics
and offices) allow transient use of the same wireless network they operate
on when entering, saving, and sending patient information. Creating dual
wireless networks, one for folks in the waiting room and the other for
staff, is a simple way to guard against data breaches.

3. Beef up network security: Limiting access to the network via sub
network, while effective in preventing local cyber attacks, isn’t as
effective in preventing attacks coming from the outside. Patient data
should be covered by a company-grade advanced network security system
designed to swiftly detect indicators of compromise.

Targeted attacks tend to be sophisticated; authorized users will test the
waters before diving. Advanced network security systems are able to sense
these tests and initiate a rapid response before the attack itself even
starts.

4. Conduct (mandatory) HIPAA security risk analysis every year: In
accordance with government regulations healthcare providers are required to
submit their systems to an annual security evaluation. In fact with today’s
increasingly sophisticated cyber attack strategies it may soon be good
policy to commit to an assessment every nine months.

The intention of this seemingly intrusive audit is to make otherwise
healthcare-focused professionals face the facts about potential threats to
their IT systems.

5. Make sure employees are up-to-date with HIPAA regulations: Healthcare
providers depend on numerous staff to carry out the seemingly menial tasks
of which the entire system needs to function. Each of these staff members
are potential targets for one of the most common tactics in the pursuit of
data: social engineering.

Someone on the phone pretending to be a patient or physician may turn out
to be someone else entirely, a fact which can be uncovered if patient
privacy protocol is followed. Knowing the rules starts with learning them.

Patient data breaches in the healthcare industry are going to increase in
occurrence, but the countermeasures providers are putting in place
strengthen responses. No security system can guarantee 100% success but
reducing ease of unauthorized access is how providers can approach an ideal
state of patient data protection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160606/12fc4d34/attachment.html>