Reasonable Measures Required to Protect Patient Data
Consider cybersecurity a gut check for businesses in the HME field
by Vivek Mathew

Health insurer Premera Blue Cross endured a severe cyberattack in March 2015.

The breach affected 11 million patients. It exposed patient medical information and showed Premera’s systems to be unprotected. The explosion of malware proved to be a threat to businesses and health care professionals alike.

Dereliction of legal measures to protect patient data, along with blatant disregard for security protocols, make the health care industry a prime target for medical information theft. Consider cybersecurity a gut check for businesses in the home medical equipment (HME) field.

Opportunities for mistakes and systematic hacking exist now more than ever with so many systems, connections and methods of sharing information. More than 95 percent of patient information in the health care industry is digitized, according to Verizon’s 2014 Data Breach Investigations Report, and the industry is becoming increasingly automated.

Unauthorized users of computer software—hackers—continually evolve to quickly dismantle weak security measures. A patient’s entire identity can be stolen and disseminated across the web within minutes. Safeguarding data and fighting against malicious threats on the internet requires recognition of hacking methods and insight into possible vulnerabilities in security.

Lost or stolen data from physical property accounts for a substantial amount of costly incidents toward companies and patients. When laptops, tablets and flash drives, which hold unencrypted data, are taken from organizations, distributable information is at a thief’s fingertips.

Risk Assessments Are Essential

To assess a cybersecurity problem, health care officials must conduct regular baseline risk assessments. This process identifies weak areas in the system and serves as the first step in fighting cyberattacks. A baseline assessment requires administrators to check for multiple login attempts, noticeable increases of traffic to the server and abuse of disk space usage. A network intrusion test to evaluate security is also recommended. To discover security weaknesses, this test consists of a simulated attack on a computer system.

Once an assessment is made, providers need to pursue avenues to isolate their servers. The isolation of servers can transpire through network segmentation and subnetworks.

If a cyberattack ensues, segmentation of networks confines movement across a network. A security policy that emphasizes multiple segmented sites and rigorous security requirements aids in defense. Additional security boundaries placed away from existing file shares can also restrict unnecessary exposure.

Segmentation can be applied with the use of firewalls. Though servers are used to indicate failed attempts to login to a system (via active logs), firewalls are managed to display active traffic. Several failed login attempts may reveal a cyberattack. Limiting access to certain networks of an organization may also prevent hacking attempts. For those with approved access, the use of complex passwords averts a form of negligence that is easily avoidable.

Since most operating systems on the market are role based, companies can determine who has access to particular material and areas of the network. This will reduce exposure as users evaluate who requires access to segments of the network. The practice of limiting access to certain members in your organization is critical to cyberdefense.

The Importance of Data Encryption

Despite the loss of a physical device, data will remain secure if it has been encrypted. Adopting control structures that construct obstacles for hackers to dispense information will reduce the risk of a breach.

According to the HIPAA Omnibus Rule, section 164.304, “Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” The encryption of hard drives, servers, laptops, mobile devices and various other electronic media should be held to account.

Email Safeguards

Phishing, the practice of sending fraudulent emails in order to steal personal information from individuals is applied to patient data on company servers. Most individuals open emails without verifying the address. Unverified emails may contain malicious attachments that could lead to a widespread breach and sharing of protected information.

Strategies for fighting phishing include filtering and tagging emails, which allows users to identify external emails that could cause harm.

Safety in Software Patches

Another solution to prevent cyberattacks is to keep all systems patched. Keep up-to-date with software updates and developments. They are easy to perform and require minimal computer expertise.

Be Vigilant About Backups

Finally, a backup solution will ensure data is protected against loss, hardware failure or database corruption. Some companies pursue a three-tiered solution that provides three copies of data. Placing data in a local media, removable media and an offsite area is recommended.

Since health care organizations store valuable personal information, proactive actions to combat potential threats will continue to be a dominant issue for HME providers. There are challenges involved when any company creates a plan to address the protection of patient data. Answers to these challenges can be solved with time and concentrated efforts.