5 Ways the Healthcare Industry Did Data Security Wrong in 2015. 5 Ways To Do it Right in 2016

Healthcare data security needs surgical intervention in 2016.

Over the past year we’ve seen a tremendous number of attacks on the sector, and the healthcare industry needs some strong medicine to cure its data security problems. Major hacks may draw the headlines, but there were many other, everyday practices in hospitals and doctors’ offices that put our healthcare data at risk. Fortunately, there are proven, implementable solutions.

Why healthcare data security is so hard

Users and IT always seem to butt heads on security versus user experience, but health IT has some issues that you might not see in fields like banking or retail, which also deal with sensitive data. Take authentication: a five-second delay for a doctor to log in and check the database for allergies or co-existing conditions could be a matter of life and death for a patient, yet the same delay would merely irritate a loan officer or sales clerk.

But, there’s also more at risk when a healthcare record is breached versus a credit card account. A financial record may have your contact information and social security number, but a medical record can have that, plus your unique medical history including diagnoses, treatments and physical markers. That makes healthcare records more valuable on the black market than other types of stolen data, according to Ponemon.

Healthcare and IT don’t always understand each other’s needs, advantages and limitations, which hinders the industry’s overall ability to secure data. Here are some of the major things that healthcare is doing wrong, followed by some of the things that can help fix their problems.

What healthcare does wrong

1. Focusing too much on compliance: While HIPAA and the Affordable Care Act are the reasons many healthcare practices finally got onboard with health IT, as the high number of breaches to HIPAA-compliant databases in 2015 prove, compliance isn’t sufficient to protect patients’ privacy.
2. Tolerating mobile (BYOD) insecurity: Most doctors are using mobile devices in their work, such as emailing and texting with other healthcare professionals and patients. Many of those smartphones and tablets are personally owned, and many aren’t properly secured and encrypted. If these devices are lost or stolen, personal data is at risk.
3. Spending too little on security: Healthcare organizations devote only about 14% of their IT budgets to security, compared to an average of 20% in other industries, CNBC reports. With all that’s at stake, health IT needs to rebalance its budget.
4. Not making security a priority across the organization: Too many employees think security is IT’s responsibility, not theirs. But users are the weakest link in security, making mistakes – such as clicking on malware-infected emails or losing their laptops or smartphones – that open the entire organization to threats.
5. Making IT systems too complicated or too simple: Users will misuse or ignore IT policies and systems that are too complicated to use, no matter how well-intentioned they are. On the flip side, policies and systems that are focused more on ease-of-use than security can put your data at risk. Balancing security and usability can be more complex in healthcare than other industries, but striking that balance is critical to protect the security of our personal health information.

What healthcare needs to do in 2016

1. Implement comprehensive risk-management practices: Instead of making HIPAA compliance your goal, make that the starting point, then layer on behavioral analytics and other risk-management technologies. IT departments must be able to identify suspicious behavior, from insiders and outsiders, before your data is compromised.
2. Use two-factor authentication, but make it easy: Secure logins should be a no-brainer, and two-factor authentication is the minimum to settle for. But speed is of the essence in emergency health situations, so combinations like a scanning an employee badge and iris may be faster than typing a password or using a fingerprint scan, both of which would require healthcare professionals to remove their gloves and compromise sanitary environments.
3. Encrypt databases and mobile devices: Data must be encrypted, whether at rest in the database, being accessed by a user, or in transit between a device and storage, to protect the security of that data in the event of a system hack or lost/stolen device.
4. Use enterprise mobility management (EMM) systems: Mobile device management helps IT administrators manage and secure all of the mobile devices that access company networks.
5. Build a security culture: Anti-malware software, advanced behavioral analytics, encryption and other securities are important, but they aren’t enough. Healthcare organizations need to establish a top-to-bottom security culture, where anyone who accesses data or systems feels personally responsible for maintaining the security of that information. This is partially a training issue, but it’s also a corporate culture issue.

Healthcare has a long way to go to shore up its data security technologies and practices, but all of these things are achievable. And, I’d argue that the importance of protecting patients’ privacy and the integrity of our healthcare system means that we have no choice.