Healthcare Data Security Best Practices for Facilities

Image of professional woman smiling
Written by Kerry Larkey, MSN, RN Content Writer, IntelyCare
Group of professionals meeting in a medical office

Healthcare data security breaches are on the rise in the healthcare industry worldwide. According to one cybersecurity study, 66% of healthcare organizations reported experiencing a ransomware attack, nearly doubling the number of attacks in prior years. Of these organizations, 61% reported feeling obligated to pay the attackers.

Healthcare facilities are looking for ways to ensure that their data stays safe and secure. We’ll discuss the importance of data security in healthcare and share the real costs that these breaches pose to organizations. We’ll also review five best practices to secure patient data so you can promote processes that help safeguard patient information at your facility.

Cybersecurity in Healthcare

Data theft is on the rise in healthcare. Patient information is particularly valuable because it includes not only highly sensitive medical data but also identifiers (e.g., name, address, Social Security number) and billing information. Research shows that on the dark web, stolen healthcare data sells for 10 times more than credit card numbers alone.

The consequences of a cyberattack can be devastating for the individual whose information is compromised. For organizations, the financial implications and loss of public trust are severe. The cost to repair a data breach in healthcare is almost three times higher than in other industries. And yet, only 4-7% of a healthcare system’s information technology (IT) budget is devoted to cybersecurity.

Healthcare Data Security Standards and Best Practices

With growing cybersecurity concerns, organizations are looking for ways to incorporate best practices into their systems and workflows. Here are five ways to prevent attacks and help maintain healthcare data security at your facility.

1. Practice Safe Computer Etiquette

Some very effective security practices don’t cost your facility much money at all. In fact, many are completely free, they just take time and effort to establish as habits within your team. For example, workstations should be locked at all times when unattended — even if the person intends to just step away for a moment.

Here’s one way that this inadvertent security risk might play out. A patient’s bed alarm has been activated and needs to be silenced so a nurse might step away from charting without logging off, thinking the task will only take a moment. Unexpectedly, the patient needs help getting to the restroom and before long, the unattended computer has been left open for 20 minutes, creating a security risk with patient information exposed.

Developing a culture of security on your team can help mitigate risks through teamwork. The more staff watch out for each other and look for areas of concern, the more likely they are to identify issues and proactively address them. With a strong culture of security, another team member would notice an unattended workstation and take steps to log the user off or lock the computer.

Other easy computer habits include:

  • Using computer privacy screens
  • Performing regular software maintenance and updates
  • Reinforcing the importance of never downloading unapproved software

2. Use Anti-Virus Software and a Firewall

These systems work together to protect your facility from external internet threats. Anti-virus software destroys and prevents the spread of malware while a firewall prevents it from gaining access to your computer systems. A virus can allow outside users to steal or destroy data and take control of your computer — jeopardizing health information safety and security.

The majority of EHRs connect to the internet, a fact that makes them more vulnerable to attacks from outside the facility. Additional security risks come from the use of local area networks (LANs), internet browsing, and email systems.

Installing a firewall and anti-virus software can be complicated and will likely be configured and maintained by your IT department. But all staff need to be aware of the dangers of malware and know how to recognize a computer that might have become infected with a virus. For example, an infected computer might crash for no reason or show the “blue screen of death.” Your team needs to know the process for reporting suspicious computers to IT. Policies must also be in place to define and support safe computer use.

3. Consider Partnering With HITRUST Common Security Framework (CSF)

HITRUST CSF is a framework, created by security experts specifically for the healthcare industry, that provides an approach to data regulatory/standards compliance and risk management. The program builds on privacy requirements established by law through the Health Insurance Portability and Accountability Act (HIPAA) to support healthcare data security.

By using HITRUST CSF as a guide, your facility can build an information security management program based on industry-accepted and regulatory standards of security and privacy controls. HITRUST control strategies are comprehensive, including, among others:

  • Access control
  • Risk management
  • Compliance
  • Asset management
  • Human resources security

Although the cost is prohibitive for some, organizations can earn certification from an independent HITRUST-certified assessor. Self-assessments are available for facilities looking for lower-cost options, without certification.

4. Control Access to Protected Health Information (PHI)

The highly sensitive nature of healthcare information requires strict compliance with patient data security measures. Establishing and adhering to an access control system is one strategy for protecting PHI. Access to information in the EHR should be limited to a “need-to-know” basis, based on each employee’s roles and responsibilities. Assignments are typically based on job categories as defined by the facility’s data governance structure.

Your facility also must set up a system for auditing employee access to information, with frequent reviews of the results. In addition to the IT department, your data governance committees will be involved with oversight and making updates to role-based access control recommendations.

The guidelines outlined by HIPAA provide additional legal protections for PHI. Violations of HIPAA are often severe and costly. Staff education on HIPAA and the importance of data privacy in healthcaremust be routine and ongoing.

Access must be terminated immediately for all employees who leave employment. All badges, IDs, and tracking/access devices are to be collected on the employee’s last day.

5. Control Physical Access

The most common way that electronic health information is compromised is through lost devices. Many organizations now issue certain staff members laptops and mobile devices in addition to all of the electronic devices, network servers, and computers that stay on site. All of these can be lost or stolen, and the information they contain can be compromised.

Consider using cable locks for computers and restricting access to the most important devices, such as network servers. Sometimes, solutions are as inexpensive and simple as installing locks on doors or moving equipment to lower-traffic areas. Devices should be inventoried regularly to help identify lost or missing equipment.

Looking for More Ways to Keep Patient Data Secure?

Now that we’ve taken a close look at healthcare data security and reviewed five best practices, you might be interested in learning more. We’re here to help — the IntelyCare newsletter is full of free healthcare facility tips, news, and strategies, shared right to your inbox.