Most of the attention around cybersecurity is focused on ways to protect your data from hackers and digital intrusion. In that scenario, the hacker is a shadowy figure, possibly operating from another country. However, most often, the threat comes from sensitive data walking out the facility’s front door with an employee or a former employee. Here are two important questions to ask about your facility’s cybersecurity:
1. What are you doing to prevent someone from accessing your facility’s patient health information (PHI) and electronic health records (EHRs) either through employee computers or directly from a data center?
2. Do you have internal policies or safeguards like encryption in place that will prevent someone from obtaining patient data and other sensitive information off a stolen or misplaced device?
Physical security is a key part of a layered approach to cybersecurity, aimed at reducing the likelihood that you expose patient data. Patient data is extremely valuable to criminals, with EHRs selling for as much as $1,000 on the black market. High rewards for access to information incentivizes theft, by whatever means necessary.
To combat the threat, Todd Williams, Manager of Security Operations for MEDHOST, recommends that providers layer in the following five elements of a physical security plan.
Policies and procedures that guard access to a facility is critical for a variety of reasons: They protect employee and patient safety first and foremost, but such procedures can also act as a barrier to data theft. Although it’s now basic policy to use key cards to limit access into buildings, it’s also important to carefully train your employees about the rules for card access. Adhering to rules that don’t allow people to “tailgate in” behind you, or not letting people in who left their key cards at home should be a part of a building’s security policies and procedures. In addition, cards can be stolen or duplicated. In such cases tying unique identifiers or biometrics into your facility security, or implementing minimum necessary rules can also offer an added layer of protection.
One key way to control facility access and protect sensitive patient data is to set up multiple layers of authentication. When it comes to data centers, for example, additional levels of security (beyond card keys) should be required. MFA might include a key card plus a password or another key to enable access, for example. Increasingly, biometric access controls, such as fingerprint or retinal scans for approved employees, are becoming popular ways of securing data.
HIPAA’s requirements govern how PHI is stored on hardware and removable devices, like a laptop or USB stick. It’s not uncommon for network support staff to pull files to a different computer to troubleshoot an IT problem and, in the process, accidentally pull PHI. Providers also can use tools to audit whether certain kinds of data are stored on an unauthorized company computer. As a rule, PHI should never be placed outside of designated areas of a network and should always contain some form of encryption or deidentification. The most secure policy would state that PHI should only be on devices that cannot leave the building.
Many providers, especially in smaller, rural facilities are still in the process of transferring paper records to EHRs. It’s critical for these paper records to be disposed of properly—HIPAA requires paper records to be burned, shredded, or pulped. However, there are many examples of improperly disposed health records, such as piles of sensitive paper records being recovered from dumpsters. Complying with regulations and properly disposing of paper records ensures greater physical security.
It’s also important to make a back-up plan for securing data, such as the 3-2-1 backup plan. What does it mean? There should be three copies of data, stored on two different formats of storage, with one of those stored physically apart from the other two copies of that data.
Building in measures to enhance the physical and digital security of your hospital is critical. MEDHOST Direct is equipped to help you safeguard your hospital or healthcare facility with our complete hosted solution that’s managed by a team of experienced experts.
Throughout October’s NCSAM, be sure check out the MEDHOST Minute Blog for more videos and posts on the healthcare industry’s evolving cybersecurity landscape.