Healthcare providers collect, process and share citizens’ most highly sensitive personal data – from names, dates of birth and contact details, to medical and financial information. The loss of this data by healthcare organizations can cause significant emotional distress to patients if private medical conditions are disclosed, and also make them more vulnerable to identity theft, fraud and further cyberattacks.
Like every industry, the healthcare sector adopted new technology more rapidly than it ever had before in response to the COVID-19 pandemic. For the UK’s private healthcare providers, this change accelerated ongoing digital transformation projects that largely overspilled from the NHS’s paperless targets set out in their ‘Five Year Forward View’ from 2015, as well as from patients’ expectations of digital-first healthcare provision.
This increase in digital systems increased the amount of digital data being processed, putting greater emphasis on the need for healthcare organizations to improve their data protection practices constantly.
This post explains six data protection tips to help improve information security in healthcare organizations. It highlights the key considerations, tools and methods you need to be aware of to protect sensitive patient data throughout its lifecycle and maximize your data security budget.
1. Understand your risk exposure
The first step to improving data protection for healthcare organizations is conducting a risk audit and then creating a risk register.
During the risk audit, you need to comprehensively interrogate all the ways sensitive patient data is collected and processed, including where it is stored, who can access it and how they can access it, and then what they do with it. For example, who they share it with and how they share it, plus other actions such as printing and then how that paperwork is handled. In addition, you also need to examine your data retention policies and how deletion takes place.
Throughout the audit, you need to ask yourself whether these processes are compliant with GDPR and then fully assess any risks that the data may be subjected to. For example, disclosure of personal information to data subjects is compliant with GDPR, but doing so via plaintext email presents risks of accidental disclosure to unauthorized recipients.
One place to start when considering the risks to patient data is the ICO’s data security trends. This tracks the number of incidents reported to the ICO and their root causes. In particular, unauthorized disclosure through misdirected email and fax, as well as loss or theft of paperwork are routinely top of the list for healthcare organizations.
When you have your risk register, you can then design and implement your data protection policies. Clearly, these need to prioritize the security of patient data and compliance with GDPR, but it’s also important to map your policies back to your organization’s corporate agenda, so you can demonstrate ROI on security investments.
2. Invest in the right security layers – especially your human layer
Digital data protection comprises three layers: network, application and human. Healthcare organizations need to ensure all three are secure to protect patient data effectively.
Network and application security tends to be more formulaic and easier to solve, so providers have focused on these first. The human layer – employees and the way they put data at risk – presents a significantly more complex challenge.
When investing in technologies that protect your people and mitigate insider risk, you must put solutions in place to mitigate human error, particularly when it comes to data sharing. In many cases, data security systems and protocols are not designed to intuitively meet the needs of frontline healthcare workers, who then accidentally disclose information to unauthorized recipients or face the difficulty of not being able to communicate sensitive information without risking its security.
Contextual machine learning and social graph technologies like Egress Prevent can ensure that patient data is always emailed to the correct recipient, while real-time risk analysis means that the appropriate level of encryption is automatically applied. Additionally, healthcare professionals should be able to securely share sensitive information quickly and easily from any device, so investing in solutions that work on mobile devices is also key.
3 . Implement training – and understand its limitations
Implementing security awareness training and training (SA&T) for new technologies is key to improving data protection for healthcare organizations. On the whole, healthcare employees are committed to data security, however, staff at all levels face challenges in translating their commitment to reliable practice.
SAT can be delivered via regular modules, explaining the organization’s data protection policies, what’s expected from each employee, and why better data protection improves patient care. However, SAT has a limit. Employees won’t retain everything they’re told in each module and it’s difficult to truly achieve engagement using a single-touch approach.
Consequently, you also need to ensure the security solutions you implement engage with your end users in real-time as data is put at risk. For example, rather than hiding every phishing email from employees, intelligent technology like Egress Defend can flag malicious emails within their mailbox. The employee won’t be able to click any phishing links or download malicious attachments, but importantly, they’ll also be told and get to understand why this has happened. Similarly, intelligent data loss prevention technology like Egress Prevent will only alert users when they’re about to make a mistake – for example, adding an incorrect recipient or attaching the wrong document. This means SAT is delivered when and where it matters most to the work they do.
Additionally, product training and awareness are important aspects of any new change a healthcare organization faces. Without acceptance and understanding from your employees, technology risks becoming a potential waste of time and money. You can bring the best-suited and highly recommended piece of technology into your company, but without informing your staff on why it is important and how to correctly use it, employees may end up avoiding using it completely.
It’s important for healthcare organizations to spend time making sure that the product training their employees receive is relevant and accessible, and reinforces the data protection policies they’ll focus on in their SAT.
4. Monitor and analyze the evolution of cyberattacks
Patient data records are some of the most highly sought-after datasets by cybercriminals because they’re a one-stop shop for identity theft and fraud. As a result, healthcare organizations are an attractive target for cybercriminals.
It’s good practice to stay updated about evolving threats and tactics, so you can ensure your defences are properly enabled. There are many ways to do this. Professional development and training are obviously a good place to start. We also recommend subscribing to blogs by industry influencers and thought leaders, and email blasts by media outlets as a good (and low-cost) way to get regular updates landing in your inbox. You can also attend relevant industry events and webinars, many of which offer networking opportunities so you can knowledge share with industry experts and your peers. For example, check out our webinar with East of England Ambulance Service NHS Trust for a discussion of the latest threat trends and phishing attacks targeting public sector organizations.
To help give you a head-start on staying on top of emerging threats, you must make your inbound email security your top priority. Over 90% of cyberattacks start with a phishing email – so if you can effectively detect and eliminate phishing attacks, you can significantly reduce your attack exposure.
5. Document and communicate your policies and any changes
Healthcare organizations often come under scrutiny when detailing personal information security policies. Within any company, every employee has the responsibility to ensure information is kept safe and is used appropriately. Yet without well-structured information security policies, both employees and third parties have no data protection guidelines to follow when carrying out their day-to-day tasks.
You need to make sure you thoroughly document your data protection audit and risk register, as well as the steps you’re taking to mitigate risk. Any data that’s handled or processed on your behalf by contracted third parties remains your responsibility, so you’ll need specific policies to address this. For outsourced services, this can also mean ensuring that the correct training and technology are implemented by the partner, so it is important to review their own data protection policies, as well as their physical security.
You also need to ensure you communicate any amends to your existing data protection policies or new policies that are implemented with the right internal and external stakeholders.
6. Perform ongoing evaluation and improvements
Healthcare organizations’ risk posture can change daily, so you need to continually monitor your risks and evaluate the effectiveness of your mitigation strategies. Security solutions that offer trends and analytics will increase your visibility over risk reduction. They’ll also help you monitor adoption and usage to calculate their effectiveness and your ROI.
When new risks emerge, you will need to add them to your risk register and ensure they’re mitigated by existing technology or training, or implement new solutions. You then need to make sure you communicate any changes with those who need to know about or will be affected by them.