A 3 minute read
June 3, 2019

There were more than 351 reported healthcare data breaches that impacted 500 or more individuals in 2018. These breaches exposed more than 13 million individual healthcare records. We’ve compiled a list of the top five ways you can protect your organization or care facility from data breaches and avoid cyberattacks.

1. Use HIPAA-compliant software

HIPAA (Health Insurance Portability and Accountability Act), established in 1996, safeguards patient data privacy and security when collected and shared by medical professionals. It also reduces healthcare costs by standardizing how electronic medical records are transmitted. This legislation is becoming even more vital in light of the data breaches, cyberattacks, and ransomware attacks that have targeted care facilities and insurance providers.

To be considered HIPAA-compliant, software must include the following features:

  • User authorization (i.e. usernames and passwords)
  • Access control (i.e. users designated as admins control access based on role)
  • Authorization monitoring
  • Data backup
  • Remediation plan
  • Emergency mode
  • Automatic log off
  • Data encryption and decryption

Besides adhering to HIPAA security guidelines, software must also be accessible to staff and administrators using the technology installed in hospitals and other care facilities – which can be a difficult balance to strike.

2. Educate staff on best practices

Human error played a factor in more than 20 percent of data breaches according to a report from Verizon, with 34 percent of attacks involving actors inside the targeted organization. Ignorance of common phishing techniques can leave an organization at risk of malware introduction and other breaches. Through security trainings for users, organizations can reduce the effectiveness of these social engineering techniques and improve resistance to data breaches.

Some examples of best practices include:

  • Not using USB drives found scattered on or near the facility grounds
  • Reporting emails from suspicious senders or with questionable content
  • Keeping usernames and passwords private

3. Conduct internal audits

To ensure compliance with HIPAA, care facilities and medical organizations must conduct regular audits to identify potential risks for patient privacy violations or data breaches. This can include examinations and other educational tools for staff. Facilities must also create and enforce a remediation plan, which allows providers to correct and prevent lapses in data security for a variety of situations.

Effective training can include refresher courses on how to appropriately handle patient data. If there are grey areas or common questions around HIPAA compliance guidelines, it would be beneficial to hold a booster training for staff members. Conducting an internal audit is also useful for keeping staff updated on the latest healthcare regulations, which are constantly shifting. If your organization is switching software vendors or installing a new system, that could be an ideal time to ensure data security compliance.

4. Adopt role-based data accessibility

This may seem like common sense, but limiting data accessibility by role is one way to enhance overall security. If only essential personnel can access sensitive data – like complete patient histories, payments, etc. – that will reduce the risk of theft or accidental security breaches. If a breach does occur, the pool of responsible actors is also smaller, enabling the organization to identify exactly where the breach originated. This also requires user authentication, which bars those without credentials from accessing the system.

In addition to restricting access and requiring user authentication, IT experts recommend requiring password changes every 60 to 90 days to further reduce the risk of hacking. The best method, however, is two-factor authentication – which pairs a password with an additional verification method, such as thumbprint, security question, or a text.

5. Restrict data storage to in-house servers

Sensitive data should never be stored on personal devices, which can be easily stolen or hacked. Instead, sensitive data should be stored in secure on-site locations or on the cloud. If storing sensitive data on the cloud, your IT department will need to secure the endpoints of data access, encrypt data, and fully understand the shared responsibility model. Both of these methods allow users to access the data from workstations and remotely without sacrificing security. Some organizations even install “wiping” technology on user devices, which would eliminate sensitive data from user devices if they were lost or stolen.

Users accessing the system remotely should be able to do so in a secure fashion, generally through a virtual private network (VPN). A VPN creates a temporary link from the user’s device to the network, allowing for protected data retrieval and sharing. An organization’s IT department is responsible for upholding the integrity of the network through firewalls and antivirus solutions.

Looking for more information? Definitive Healthcare tracks healthcare IT news and intelligence as well as software installation data for more than 8,800 hospitals and IDNs. Sign up for your free trial today!


Alanna Moriarty

Alanna Moriarty is a healthcare industry writer and content strategist. As the Content Marketing Manager for Definitive Healthcare, she most enjoys connecting the dots between data and care delivery. ...

Continue Reading