10 Ways to Secure Healthcare Data1

All hospitals and other healthcare organizations need to be careful about protecting sensitive patient
healthcare data. That includes medical records, financial details, and other personal information.
Securing healthcare data requires a mix of employee education, smart use of technology and
physical security for buildings. Here’s a list of ten important best practices for healthcare data
security:

1. Protect the network

As hackers have a variety of methods for breaking into healthcare organizations’ networks, health
IT departments need to use a variety of tools to try and keep them out. However, most firms spend
too much on perimeter security, such as firewalls and antivirus software, while experts warn they
should also be adopting technologies that limit the damage when attacks do occur.

That includes techniques such as segregating networks so that an intruder into one area doesn’t have
access to all the data stored throughout the organization.

2. Educate staff members

Whether due to negligence or malicious actions, employees are often involved in healthcare data
breaches. Therefore, any IT security program should include a big focus on employee education,
including:

• Training on what does and doesn’t constitute a HIPAA violation

• Lessons on avoiding phishing, social engineering and other attacks that target employees,
and
• Advice on choosing secure passwords.

3. Encrypt portable devices

In the past few years, several data breaches have occurred because a portable computing or storage
device containing protected health information was lost or stolen. One thing healthcare
organizations should always do to prevent those breaches: Encrypt all devices that might hold
patient data, including laptops, smartphones, tablets and portable USB drives.

In addition to providing encrypted devices for employees, it’s important to have a strict policy
against carrying data on an unencrypted personal device.

4. Secure wireless networks

Organizations are increasingly relying on wireless routers for their office networks. But
unfortunately, those wireless networks often introduce security vulnerabilities. Data can be stolen
by hacking into those networks from the parking lot, for example, especially if the organization
relies on outdated technology, such as routers that use the 12-year-old Wired Equivalent Privacy
(WEP) security standard.

1 fastchart.com/news/ways-to-secure-healthcare-data

1
To protect against attacks, healthcare providers should make sure that their routers and other
components are kept up to date, network passwords are secure and changed frequently, and
unauthorized devices are blocked from accessing the network.

5. Implement physical security controls

Even as electronic health records become more common, organizations still keep a lot of sensitive
data on paper. Therefore, providers must make sure doors and file cabinets are locked and that
cameras and other physical security controls are used.

6. Write a mobile device policy

As more healthcare employees use personal devices to do their work, it’s important that every
organization creates a mobile device policy that governs what data can be stored on those gadgets,
what apps may be installed, etc.

7. Delete unnecessary data

One lesson many data breach victims have learned: The more healthcare data that is held by an
organization, the more there is for criminals to steal. Organizations should have a policy mandating
the deletion of patient and other information that’s no longer needed.

In addition, it pays to regularly audit the information that’s being stored, so the organization knows
what’s there and can identify what may be deleted.

8. Vet third parties’ security

Along with mobile devices, the biggest IT trend in the past few years has likely been the rise of
cloud computing. Cloud-based services have enabled smaller organizations to take advantage of
many of the same technologies as their larger competitors by lowering the up-front costs necessary
for deployment.

However, putting information in the hands of third parties also creates a number of new risks.
Therefore, it’s important for organizations to diligently vet the security of cloud computing vendors
and other third parties they contract with.

9. Patch electronic medical devices

While many of the IT security threats healthcare organizations face also affect companies in other
industries, providers have another risk: the threat of healthcare data on pacemakers, monitoring
tools and other electronic medical devices being hacked. Keep the software on those devices
patched and up to date to minimize their vulnerabilities.

10. Have a data breach response plan

It’s unlikely an organization will ever be able to prevent every possible IT security incident. That’s
why it’s critical to develop a plan of action for when a healthcare data breach does occur.