You are, essentially, a culmination of all your data. A near comprehensive picture can be painted of who you are based on the data of your day to day. This statement may seem profound and outlandish, but retailers and marketers do this on a 24 by 7 basis. Retailers use this to gain insights and suggest your next purchase, or to understand where demographic need and opportunity might be geographically. This same consumer driven data is starting to find its place in the clinical care environment.
When it comes to securing EHR data and personal health information, here are four simple best practices that will help providers take steps toward minimizing risk in the ever-changing landscape that is healthcare IT.
1. Treat Your EHR Data Like Financial Data
Connected health in this heavily connected society makes data sharing easy, but it also opens new opportunities for hackers and cyber criminals alike. As Becker’s Hospital Review recommends, an EHR should ideally exchange data with bank-level encryption and security standards in place. The financial technology sector is well ahead of healthcare in the way of security.
Medical health records and personal health information are significantly more valuable to cyber criminals than credit card information; however, healthcare seems to be the furthest behind in building the necessary defenses and protocol to mitigate the associated risk. Where a stolen credit card may render unwarranted charges that are potentially reversible, a stolen medical record means information such as health status and social security numbers are exposed with sparse opportunity to alter this permanent information.
2. Reevaluate How Patients Access Health Data
As data, once centralized within the confines of an EHR system, is now accessible through hospitals’ and providers’ mobile applications for patient consumption, patient privacy concerns have escalated. Due to legislative mandates and incentives, patient portals are increasingly more common. While this is a step in the right direction for patient engagement, it begs a new series of questions for security.
As Modern Healthcare emphasizes, medical data accessed on a patient’s cell phone can easily be shared with a third-party site, intentionally or otherwise. It has become more important now than ever to be sure that patients are accessing their health data in a secure environment. It is also crucial to educate patients on the best ways to shrink their risk landscape as a consumer.
3. Seek to Understand Behavior, Not Events
In many traditional Security Incident and Event Management (SIEM) environments, there is an emphasis on events of concern and incident response. This creates a culture of continually putting out “fires”. This leaves very little room for proactive and preventative action.
Fundamentally, an event is characterized by a change in behavior delineating from a normal range of activity. Blanket policy and standard rule sets will no longer suffice here. It is important to contextualize and understand behavior, both dynamically and historically. Behavior analytics and predictive modeling are at the core of what the next generation SIEM must uphold to remain optimally functional in the emerging environment. Contextualizing threat by understanding user and entity behavior is the best practice alternative to a traditional SIEM.
4. Share Mindfully
Historically in healthcare, there has been a notion of keeping all data and systems on premises in an enclosed and protected network. In today’s hyper-connect world, it is no longer an option to operate in closed environments. We interact with third parties on a continual basis. It is paramount that organizations share information with those whom they do business, in B2B and B2C settings. By opening these channels of exchange, we are sharing data and trusting the third parties to protect and secure this data. With data fragmentation and the associated visibility limitations, those with the primary responsibility and liability for the data must make cyber risk considerations. They must understand and quantify the cyber risk of doing business with any third party long before they share any data. Share mindfully by assessing the security risk score of a third party you do business with.