Mar 22 2018

3 Ways to Protect PHI from Prying Eyes

Don’t get caught off guard. These tips and tools will keep personal health information safe.

Data breaches remain top of mind for healthcare organizations, and for good reason. While 2017 saw larger and more costly healthcare breaches than previous years, 77 percent of organizations say they still do not have a formal cyberincident response plan, a new IBM study found.

Although 72 percent of respondents to the IBM’s “Third Annual Study on the Cyber Resilient Organization” noted they were feeling more resilient to cyberattacks than last year, there’s still much to be gained from layering tech defenses.

"Organizations may be feeling more cyber resilient today, and the biggest reason why was hiring skilled personnel," Ted Julian, vice president of product management and co-founder of IBM Resilient said in a press release. "Having the right staff in place is critical, but arming them with the most modern tools to augment their work is equally as important. A response plan that orchestrates human intelligence with machine intelligence is the only way security teams are going to get ahead of the threat and improve overall cyber resilience."

So what tools can healthcare organizations use to create more robust security and ward off future attacks? Verizon’s 2018 Protected Health Information Data Breach Report has three suggestions.

SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks

1. Full-Disk Encryption Keeps Healthcare Data Safe

Keeping protected health information (PHI) out of the hands of criminals is imperative, and full-disk encryption (FDE) is a low-cost and quick way to keep sensitive data safe.

“FDE can also mitigate the consequences of physical theft of assets by limiting exposure to fines and reporting requirements,” the Verizon report notes.

While this suggestion may not be news to healthcare organizations, the move to greater mobility makes this a higher priority than ever before, as lost or stolen devices pose a major security risk. In Houston, for example, a city employee’s stolen laptop threatened to expose the PHI of employees on the city’s health plan last month. Devices with encrypted data pose much less of a threat.

2. Routine Access Monitoring Protects PHI

It’s imperative that IT teams set up policies and tools to monitor PHI access to ensure that no employees are looking where they shouldn’t, or are potentially motivated by curiosity or financial gain, the report notes. In fact, healthcare is the only industry where insiders pose the largest cyberthreat, according to the Verizon report, with 58 percent of incidents involving insiders.

In addition to tools that monitor access, healthcare leaders should “make all employees aware via security training and warning banners that if they view any patient data without a legitimate business need, there’s potential for corrective actions.”

3. Build Cyber Resiliency into Healthcare Infrastructure

Keeping threats out is the main goal, but reducing the impact on the network once the threat is already inside is equally as important. With the Verizon study finding that websites and email are the most common vectors for malware, there need to be tools in place to keep threats contained.

“Don’t allow a patient zero end-user device to easily propagate and spread ransomware to more critical assets and don’t use devices with high availability requirements to surf the internet or receive external email,” the report notes.

In the event these systems fail, there also needs to be systems in place to ensure that providers can continue to care for patients during a recovery.

Make Resiliency a Long-Term Priority

When it comes to protecting PHI, it can be easier to reach for short-term measures that will protect data from immediate threats. The issue, however, is that threats continue to evolve and so must cyberdefenses. To stay safe, healthcare IT leaders should continually audit their strategies for addressing PHI. They should judge whether security measures around PHI are stringent enough and stay on top of evolving threat vectors.

“As the use of the Internet of Things (IoT) becomes more commonplace across the sector, establishing a proactive policy of building security into any and all implementations is vital in addressing what could be an increasing threat in the future. Focusing on resiliency and availability in IoT implementations, as well as integrity and confidentiality, is also important,” the report notes.

Moreover, with more than three-quarters of organizations reporting to IBM that they lack a cyberincident response plan, and with nearly half of respondents admitting that their response plans are “informal/ad hoc or completely nonexistent,” knowing what to do in the event of a cyberattack is imperative to patient and provider security.

“Having an overall incident response plan ready to go should a cyberattack occur will also enable quicker reactions, and can often make a difference to the level of impact an incident has on an organization,” the Verizon report states. “Testing those plans using tabletop exercises to discover gaps is critical before an incident occurs, as well as holding postmortem reviews after the fact to capture lessons learned.”

domoyega/Getty Images