Are Health Care Organizations Protecting Data as Well as They Think?

8 Tips to Strengthen Your Data Security Practices

The more often data is handled, the greater the risk of a compliance failure, and some of the most sensitive data is entrusted to an industry that struggles to protect it sufficiently. In this article, Gretel Egan of Wombat Security, a division of Proofpoint, shares what health care organizations can do to address information security challenges.

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) set forth legal requirements related to privacy and security safeguards for certain pieces of medical data. Now, more than 20 years later, health care organizations seemingly feel confident in their ability to execute against HIPAA mandates, according to the findings of a recent Ponemon Institute and Globalscape study. The researchers asked compliance professionals to rate the difficulty and importance of several data security regulations, and fewer than 50 percent of respondents classified HIPAA as being “difficult or very difficult to achieve compliance.” In fact, HIPAA was only the fourth most difficult regulation in these compliance professionals’ eyes, ranking behind the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS) and U.S. state laws.

Despite this perception, it’s clear (if only from the growing list of cases under investigation by the U.S. Department of Health and Human Services Office for Civil Rights) that protected health information (PHI) is breached on the regular. And while hacking is a prominent source of these breaches, IT incidents like phishing attacks and malware/ransomware infections are also frequent causes of data compromise, as are actions like unauthorized disclosure, theft and loss. This means that health care workers’ behaviors are often at the root of a breach — and to make matters worse, these workers are also frequently targeted by cybercriminals. This is a perfect storm for organizations that are not training staff about cybersecurity best practices.

How Cyber Savvy Are Health Care Workers?

A recent report from security awareness and training provider Wombat Security, a division of Proofpoint, analyzed end-user responses to nearly 85 million cybersecurity assessment and training questions across 12 different topic categories and 16 different industries. End users in the health care industry answered 23 percent of questions incorrectly across all categories, making health care one of the four worst-performing industries analyzed. More concerning than this, however, is that these respondents struggled most with questions related to data protections. Health care workers incorrectly answered 26 percent of questions in the Protecting Confidential Information category (a topic that includes queries about HIPAA-mandated safeguards for PHI), and they missed 28 percent of questions in the Protecting and Disposing of Data Securely category, which covers techniques for properly managing data throughout its lifecycle.

This is particularly alarming considering that as end users in the health care industry continue to collect, store and share patient data, the risk of compliance failure continues to grow.

Within a typical health care setting, there is a hybrid environment where both electronic and hard-copy records are available. For electronic medical records (EMRs), it is critical for every end user in a health care setting to be properly trained in all areas of electronic data protections and to be well-versed in how to spot and avoid phishing attacks. According to a study by the American Medical Association (AMA) and Accenture, 83 percent of U.S. physicians have experienced some form of cyberattack, with phishing as the most common vector (55 percent). Additionally, more than half (55 percent) of physicians polled said they are concerned about future attacks.

But while anti-phishing education is clearly needed within the health care space, security awareness training programs that focus solely on email will not teach users all the ways PHI can be compromised, particularly given the health care industry’s continued reliance on paper and films. Health care organizations must stress proper handling, storage and disposal techniques for physical pieces of PHI, as well as electronic files. In addition, they should train employees that lapses in physical security — like losing a computer or leaving a secure door unlocked — can ultimately lead to a cybersecurity compromise, like theft of EMRs or installation of malware on an internal device or network.

End Users Can Be a Tough Nut to Crack

Workers in the health care industry are given access to some of the most sensitive data about individuals, and this elevates the need for effective security awareness and training programs across nearly all roles and responsibilities. Organizations and individual employees alike need to ensure PHI is properly handled and secured.

It’s important for infosec teams not to underestimate the influence that employees can have on data security — and, by extension, on the “ease” of achieving HIPAA compliance. They should also recognize that occasional communications about cybersecurity will not be enough to bring about measurable behavior change. An ongoing, employee-centered education program is the best way to move the dial.

That said, there are a few key tips that you can share with employees in the health care industry (and, in fact, any industry) to help raise awareness in the short term:

1. Follow approval policies related to the transfer of sensitive data and invoice payments. Cybercriminals often impersonate trusted colleagues and vendors via email-based phishing attacks and voice phishing (aka, vishing) phone calls. It’s critical that staff members verify (and receive approval for) these requests prior to acting on them.
2. Be proactive about protecting PHI and learning about the implications of noncompliance with any regional and/or national mandates.
3. Verify the validity of links, attachments and requests for credential submissions (e.g., password resets or account confirmations) that arrive via email. Staff should be instructed to confirm via trusted phone numbers, known web addresses or other legitimate sources before acting on instructions within an unsolicited email.
4. Keep software up to date (including anti-virus, web browsers, desktop/mobile operating systems and any proprietary systems). Act quickly to patch or remediate any known vulnerabilities.
5. Back up files and data to a secure location daily (or even hourly), if possible.
6. Lock (and password-protect) computers and electronic systems when not in use.
7. Never leave physical files and forms unattended. Keep filing systems and secure areas locked when not in use, and only grant access to “need to know” individuals.
8. Minimize (or eliminate) the transport of sensitive data outside of the health care setting. Loss and theft are common sources of data breaches, so the less often data is on the move, the better. When possible, staff should complete paperwork within their job setting and avoid taking sensitive electronic or physical files home with them.