Electronic health records have become a more efficient and effective way for health care providers and patients to share medical records. Electronic health records provide convenience and cost savings for many, but with all of this digital information there remains significant risks when it comes to data breaches, particularly concerning HIPAA and HITECH privacy regulations. A breach of this information could become a major problem for the health care provider, insurance company and the patient.
Focus On Data Loss Prevention Software
Technology can evolve to address changing threats, but training and employee awareness are two critical components to prevention. The primary concerns for employees involve daily communications coming into the organization. Bogus emails or phone calls attempting to extract certain data can be detected by properly trained employees.
Breaches can also occur within an organization by a rogue employee. Unlawful transfer of data or even the theft of physical data storage components are both serious concerns. A company that fosters a culture of awareness is in a much better position to avoid security issues.
Data encryption for laptops, smartphones or tablets is an increasingly important issue in the healthcare industry. According to Forrester analyst Chris Sherman, 39 percent of healthcare data breaches have involved a lost or stolen electronic device since 2005.
Methods that can be utilized to avoid breaches with various types of mobile devices include encryption processes consistent with FIPS 140-2 standards, and virtualization of application through web or cloud based technology rather than storing data directly on the device or data loss prevention software.
The implementation of a cryptographic module for mobile devices is outlined by the National Institute of Standards and Technology (NIST). The steps included in this implementation include:
- cryptographic module specification
- cryptographic module ports and interfaces
- roles, services, and authentication
- finite state model; physical security
- operational environment
- cryptographic key management
- electromagnetic interference/electromagnetic compatibility (EMI/EMC)
- self-tests; design assurance
As technology evolves and hackers become more sophisticated, data loss prevention software and endpoint security will become increasing complex so organizations will need to find new and innovative ways to secure their data. Currently, these methods include mobile data loss prevention initiatives such as device interrogation and geo-location technology. It is vitally important the device encryption is a top priority whenever new devices are introduced into an organization.
It is important to react to a breach once it has been detected, but some effort should be committed to educating your staff on ways to actually detect a breach. Often, a breach will go unnoticed and this is by design. The longer the breach can continue, the more the perpetrator can benefit. However, this can also mean more damage to your organization.
The best way to detect data breaches is to rely on the human element rather than automated systems that might be designed to detect these breaches. Systems can fail, or they can miss certain nuances in behavior that can send a signal to one of your employees that something is amiss.
How To React
Once a breach is detected, it is vitally important to contain the situation and shut off access by any perpetrators. Physical disconnection of machines and hardware is the fastest and most effective way to accomplish this, but in some cases, it may be advisable to monitor the breach activities to learn how the breach took place and to identify who is involved. Often, a team of specialized professionals is necessary to handle a breach situation in terms of identifying the source of the breach, securing the system and dealing with the repercussions of any breach.
A comprehensive plan that covers prevention, detection and response to data breach incidents is the best way for healthcare organizations to avoid a disaster. Preparedness will not only serve to prevent and detect breaches, but ti can also equip an organization with the tools necessary to deal with a data breach by responding quickly and effectively.