The Department of Health and Human Services’ Office for Civil Rights started a little tradition back in 2009: When a data breach affecting more than 500 people occurs in the healthcare industry, they make a tally on their “wall of shame.” The folks over at the Office for Civil Rights were reaching for the chalk pretty frequently in 2014, and many of the breaches they tallied involved well over 500 people.
Data Breach Today put together an infographic (included below) summarizing the four biggest healthcare breaches of the past year. None of the breaches stemmed from the same cause, but all of the incidents compromised hundreds of thousands of patients’ sensitive medical information – despite industry and government regulatory mandates for the healthcare industry to protect this type of information.
The takeaway? Healthcare organizations need comprehensive security plans that protect their patients’ data on all fronts, especially given all of the emphasis lately on storing more and more medical information digitally via electronic medical records (EMR) and electronic health records (EHR).
Following are a few ways that healthcare organizations can keep their patients’ data safe in 2015:
Control Access to Sensitive Data
The most effective way to reduce the chance of someone stealing sensitive information is to ensure that information access is role-based so employees’ access to sensitive information is restricted to what is necessary to perform their job. This is often referred to in the technology industry as “least privileged user.” Healthcare organizations employ an array of computer systems to process, store, and view patient data. Many healthcare applications now leverage redaction to mask sensitive information when displayed and viewed within the healthcare application. Attachmate Reflection, a commonly- used terminal emulator for accessing healthcare applications, enables organizations to mask patient data displayed within healthcare applications based on employee roles.
Protect Data in Motion with Enterprise Encryption
Given that many breaches occur when data travels outside the walls of the organization, it’s important to ensure that your data can’t be subverted when travelling from point A to point B. HIPAA/HITECH regulations mandate that medical patient data being sent over the network must be encrypted. Depending on the system, this can be accomplished by encrypting data with SSL/TLS or by building an encrypted SSH tunnel that protects the data while it’s in motion and safeguards previously insecure applications without modifying the applications themselves. Attachmate Reflection provides a U.S. federal government FIPS-validated cryptographic module to encrypt healthcare data as it travels over private and public networks.
Strengthen Your Access and Authentication Policies
Gone are the days of users setting their passwords to something simple like “password” or “12345” to access an application that processes business-critical data. Regardless, many workers are still reluctant to set up complex passwords because they view the process as an annoyance that slows down their work. Since passwords are the first line of defense against security intrusions, be sure to implement and adhere to secure password policies and adopt a password manager if users are managing several sets of credentials for their work. Consider 2-factor authentication combined with biometrics for particularly sensitive environments. Also, implementing single sign-on (SSO) solutions encourages employees to comply with password policies because they no longer have to remember (or write down) a long string of passwords. Attachmate now provides an automated sign-on solution for mainframe applications that leverages your existing IAM system without any recoding.
Develop a Strong BYOD Policy
Workers in all industries are bringing their own devices to work (BYOD, BYOA), and this trend is no different in the healthcare industry. More and more physicians are using mobile devices to help them manage patient care, but processing and/or storing sensitive patient data on personal mobile devices is a significant security threat. At the same time, it’s important for users to be able to leverage devices on which they are most productive. Hence, organizations must develop a policy around BYOD that defines approved mobile devices and limits how patient data can be transmitted and viewed on mobile devices.
These are just a few of the strategies your healthcare organization can implement to keep its patient data secure this year. For more information on how Attachmate can help you develop a more comprehensive mobile security plan for your organization’s legacy applications, check out the Reflection and InfoConnect line of products.