12 Tips to Prevent a Healthcare Data Breach

Privacy and security have always been priorities for healthcare CIOs, but changes to HIPAA under the HITECH ACT of 2009 put the issues squarely in the spotlight. Providers that suffer data breaches that affect more than 500 patients must notify the Department of Health and Human Services, which maintains a public list of all breaches, and are subject to fines of up to $1.5 million (on top of mitigation costs). These 12 tips can help you avoid the costly, and embarrassing, consequences of suffering a healthcare data breach.

HIPAA doesn’t require encryption per se, but the HITECH Act states that if encrypted data falls into the wrong hands, the incident does not constitute a data breach. Centrally managed data encryption technology adhering to the Advanced Encryption Standard is the best starting point, since it’s the data that’s most important to thieves and malicious hackers. Be sure to encrypt data in transmission, too; only decrypt data after a user has been authenticated, and encrypt it again once it arrives at its destination (Side note: When you’re engaging in health information exchange, get patients’ permission to send and receive data—and consider letting them opt out if they feel the process threatens their privacy.)

Remember those lost laptops from the fourth slide? They’re why you shouldn’t solely settle for data encryption. Lock up the servers your data sits on, the mobile devices employees use to move data around and the network endpoints through which data is exchanged. Store encryption keys for backup tapes separately from the tapes themselves, and don’t lose the keys. Same goes for the transparent data encryption product you’re using on your database. Consider “on-the-fly” server encryption as a way to encrypt and decrypt data before it’s loaded or saved and unbeknownst to the end user. Finally, don’t forget about medical devices that regularly collect and transmit data. If they’re too old to be encrypted, either replace them or shore up network security.

Mobile devices such as the iPad will make their way into healthcare facilities whether you like it or not. It’s only a matter of time before doctors want access to PHI on them. In your BYOD policy, prevent users from storing data locally, lest the device fall into the wrong hands, and insist upon bidirectional authentication to verify a password and a token whenever access to PHI is requested. (An extra step, yes, but it ensures that the correct person is viewing the data.) Consider measures that prevent devices from connecting to healthcare apps beyond a certain distance from the medical campus or after a certain length of time. Finally, maintain remote wipe and autolock capabilities and forbid the use of cellphone cameras.

The cloud is an increasingly attractive option for healthcare organizations that need to archive years’ worth of patient data but lack the space (or expertise) to do it onsite. If you go to the cloud, keep several things in mind. Your SLA should clearly state that you, not the cloud service provider (CSP), own your data. The SLA should also spell out how the CSP will comply with HIPAA, PCI DSS and relevant state data privacy laws and how you will be granted access to your data. Examine the provider’s backup, disaster preparedness, disaster recovery and uptime guarantees carefully. This is especially true if you’ve decided to move mission- and life-critical data to the cloud, as this places a premium on application recovery.