Week – 2 Protecting Healthcare Data
We kicked off Cybersecurity Awareness Month talking about how to protect you and your family from data breaches. This week we focus on protecting SCL Health and our patients data from breaches. Healthcare data breaches can have wide ranging impact to our patients and their families, as well as SCL Health. Due to hackers’ ability to monetize patient data, protected health information will continue to be a top target.
As attackers continue to focus on healthcare, an increase in hospital breaches means the consequences for us will increase if we don’t properly manage risk.
Why cybercriminals attack healthcare more than any other industry
Experts see healthcare as particularly vulnerable to cyber-attacks because medical identity theft remains so lucrative and relatively easy for hackers to exploit – and they continue to find markets for reselling patient data.
Due to hackers’ ability to monetize patient data, electronic health records remain likely to be a top target for hackers. As more healthcare institutions deploy new mobile applications, it’s possible they will introduce new vulnerabilities that will also be attractive targets.
As attackers continue to focus on healthcare, an increase in hospital breaches means the consequences will also increase.
What healthcare data is targeted?
- Protected Health Information: This is information which relates to the physical or mental health condition, payment or provision of healthcare that can be associated with an individual.
- Financial Information: This is financial or monetary information associated with an individual. This could include their bank account or credit card.
- Intellectual Property: This is information such as patentable inventions, trade secrets and copyrighted works. This can include medical research, software we have created, medical device innovation and even confidential know-how about our healthcare operations.
Why we protect healthcare data
We are responsible for protecting people’s most private and personal healthcare information. Unlike credit card numbers or online accounts, private records about a person can never be replaced after a breach. Out of respect and dignity for our patients, it is critical we protect their data. In addition, as a result of the HIPAA Privacy and Security Rules and the HITECH Act, we are required by federal law to safeguard healthcare data. Fortunately, there are easy, practical steps you can take to help protect this valuable information.
Where is healthcare data located?
Healthcare data can reside in places you might least expect. As such, it is critical you protect any devices and media you are using for work:
- Desktop and Laptop Computers
- Smartphones and Tablets
- External or Portable Hard Drives
- USB Flash Drives and SD Memory Cards
- DVDs and CD-ROMs
- Biomedical Devices
- Printers, Copiers and Fax Machines
Top Tips for Securing Healthcare Data
- Passwords: Use a strong, unique password or passcode to protect mobile devices, laptops or computers. Whenever possible, use two-factor verification (SCL Health uses Duo for remote access). Never share your passwords with anyone, including a supervisor, coworker or the help desk.
- Control: Keep healthcare data in your personal control at all times and locked inside cabinets or drawers when not in use. Never leave healthcare data unattended, such as in a vehicle. Never take any healthcare data out of our facility whether in electronic, paper or other form, unless you have prior authorization.
- Encryption: Healthcare data should be encrypted whenever you are storing or transmitting it. For example, when accessing healthcare data online, make sure your browser’s connection is encrypted. Check to confirm the website starts with HTTPS and there is a closed padlock next to it.
- Emailing PHI should be done securely by putting (secure) in the subject line of your SCL Health email. This ensures the secure transmission of our patient’s data and any attachments you may be sending. Please refer to the email encryption instructions here.
- Sharing: Never share any healthcare data through social media or text messaging, unless it is an SCL approved secure texting solution, for example Zipit at St. Vincent’s. In addition, you must have prior authorization to use Cloud services. Please refer to the Information Systems Vendor Security Management policy here.
Recommended methods for sharing SCL confidential data
Some SCL Health teams have a need to share files containing protected health information (PHI) or confidential personally identifiable information (PII) for access by various individuals and sometimes at multiple locations. This includes patient identifiable information or other confidential information, such as personnel data, financial information, etc. You can find the policy on Electronically Storing and Sharing Confidential Information here.
Recommended methods for sharing files containing PHI and PII:
- ShareFile – Sharefile is the SCL Health approved file sync-n-share solution. Contact STSC for license information or call the Technical Assistance Center (TAC).
- Shared Drives
- Provide access only to those users who need it to perform their jobs
- Encrypt the files to add another level of security
Acceptable, but not recommended methods for sharing files containing PHI and PII:
SharePoint (including The Landing)
- Files containing PHI or PII that are stored in SharePoint must be encrypted
Unacceptable methods for sharing files containing PHI and PII:
Cloud-Based File Sharing Applications (e.g., DropBox)
- Cloud-based file sharing applications are not approved for sharing confidential information. SCL Health provides the approved Sharefile application for this functionality.
How to encrypt a file:
- In Microsoft Office 2010 or 2013, open the document you would like to encrypt, click File and select the Info option. Under the Info section, click on the Protect Document option. Choose Encrypt with Password and follow the instructions to enter a password.
- The password can be a standard, group password. It should not be shared in an email with the link to the files.
Please be on the lookout for further topics every week in October on how to secure and protect SCL Health’s data as well as your personal data from data breaches.
Enterprise Information Security hopes you find the information presented during Cybersecurity Awareness Month useful and helpful. You can view other cyber education topics on our page on The Landing here or via HealthStream. It is our intent to not only educate to protect SCL Health but your family and home from cyber-attacks that can have a large impact on your personal life and finances. Thank you for your help in protecting SCL Health and our patients from data breaches. If you have questions please reach out to email@example.com.