Personal health information refers, in short, to demographic information, medical histories, test and lab results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
This same detailed information about our health is also a product. In addition to their use for patients and healthcare professionals, they are also valuable for clinical and scientific researchers when anonymized.
For hackers this data is a treasure trove. After all, this is personal patient information that could be stolen and sold elsewhere. What’s more, they can hijack the data via ransomware until the medical institution pays the ransom.
Medical institutions deal with personal health information and this can be a risk
As we have seen, by the nature of the sector, healthcare institutions deal with confidential patient data. This information includes date of birth, medical conditions and health insurance applications.
Whether in paper records or in an electronic record system, personal health information describes a patient’s medical history, thus including diseases, treatments and outcomes.
To give you an idea, from the first moments after birth, a baby today is likely to have their personal health information entered into an electronic health record system, including weight, length, body temperature and any complications during delivery.
Tracking this information over the course of a patient’s life provides the clinician with the context of the person’s health. This way it is better for the professional to make treatment decisions.
When properly recorded, personal health information can be stored without identifying features and added anonymously to large databases of patient information.
These de-identified data can contribute to population health management and value-based care programs.
However, there are cases where data security, protection and privacy measures are not applied. This puts health institutions, staff and especially patients at serious risk.
Cybersecurity threats in healthcare affect patients and institutions
As technology advances, healthcare professionals work to implement innovations to improve care, but cybersecurity threats continue to evolve as well.
Ransomware attacks ransomware and healthcare data breaches remain top concerns for healthcare entities and business partners of all sizes.
Ransomware is a good example of a major impact for the healthcare sector. It is considered high-risk, as healthcare organizations are tasked with caring for people. Thus, if certain information is locked or inaccessible, this care may be affected.
The responsibility for the protection of personal health information lies with all institutions and their business partners.
A situation that is sometimes misunderstood by health institutions is that privacy and security of health information do not always move together.
While privacy requires security measures, it is possible to have security restrictions that do not fully protect the private information of patients and caregivers.
Let’s think of an example: if a healthcare institution or a cloud provider shares encrypted medical data to an outpatient clinic, protection and privacy may be at risk.
After all, institutions need to enter into a partnership agreement that includes requirements for data security processes and policies. If this does not occur, the information shared is at high risk.
Despite the high risk, it is possible to protect your organization from cybercrime by securing patient information
Ransomware and other cybercrime attacks occur when a hacker gains access to an organization’s network. In the aftermath, files are encrypted or stolen.
In the specific case of ransomware, the files are inaccessible by the target until a ransom is paid.
To protect your organization from attacks like this and other cybercrimes targeting the healthcare industry, data protection experts recommend ten practices for securing health information:
1. Define clear data protection and privacy policies and processes
An important step in the protection and privacy of patient and caregiver health information is to clearly define data protection and privacy policies and processes.
This is the kick-off for all the other safety recommendations for the benefit of medical institutions.
2. Protect patient information in the workplace
Use access controls to ensure that patient health information is accessed only by authorized staff.
|
3. Conduct staff training on health data protection and privacy policies and processes
A protected health organization must train all members of its workforce on the policies and procedures regarding personal health information.
Training should be provided to each new professional within a reasonable period of time after the person joins the institution.
In addition, staff members should also be trained if their roles are affected by a material change in policies and procedures in the defined privacy and protection rules.
4. Procedures for disclosure or sharing of health information must be documented and authorized
A written authorization from the patient is required when a healthcare facility needs to share or disclose psychotherapy, substance abuse disorder, and treatment records, information, or notes.
5. Define secure health data storage and retrieval procedures
Data should be backed up periodically. Incidentally, it is also a best practice to regularly back up data via hardware such as flash drives and external hard drives, and then copy the data through the cloud while it is being modified.
This redundancy ensures that critical information is readily available. If possible, health institutions should have backups in multiple locations.
6. Firewalls are essential to ensure that protected information is not improperly destroyed
Properly using a firewall can help prevent your organization from falling victim to unauthorized access that could potentially compromise the confidentiality, integrity or availability of patient health information.
7. Health data recorded on paper should be protected
The concern for data protection and privacy also applies to the use of paper and other physical files. In addition to policies and procedures covering the physical security of documents, staff should be instructed to immediately report all incidents that may involve the loss or theft of such paper records.
8. Personal health information should never be left unattended
Extra care should be taken when patient records are temporarily transported to other health care institutions.
This information must be supervised and protected by responsible professionals during the journey, delivery and storage of personal health information.
9. Document and device encryption must protect medical data from cybercriminals
In short, devices and documents should be protected using encryption and digital signature when sharing between institutions and other healthcare professionals.
10. Keeping anti-virus and anti-malware software up to date is vitally important for personal health information
In addition, software updates and patches must be applied in a timely manner to keep networks and systems secure.
It is also worth remembering that common sense is always a good best practice. Employees should never share passwords. Default passwords should be changed immediately after assigning a new application. Finally, they should not be reused between different systems and should also be changed if they are compromised.
The ultimate goal is to achieve high levels of data security, protection and privacy, thus ensuring the integrity of the personal health information of patients and other caregivers.
About Eval
A EVAL está a mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria, Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presente nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.
Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.
Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.
Eval, segurança é valor.