Healthcare data breaches are a growing concern which threatens the privacy and security of sensitive patient information.
The healthcare sector increasingly relies on digital technologies and interconnected computer systems so the risk of unauthorized access and cyberattacks expands. This forces changes and improvements in the way data is secured.
In this article, we have summarized the good practices to prevent data breaches in health and human services to guarantee civil rights.
Understanding the threat landscape
A US study reveals that in the medical field data breach incidents were more common than in the other sectors in the period from 2005 to 2019.
Healthcare data breach can be described as “illegitimate access or disclosure of the protected health information that compromises the privacy and security of it”. Dividing it by cause, it can be a third-party data breach or an inside job.
In the period from 2005 to 2009, the most common type of attack was damage to portable devices such as loss or theft. This was caused either by an unauthorized party or by a healthcare worker. From 2010 to 2014 most breaches were due to physical damage such as the theft or loss of paper documents. In the period from 2015 to 2019, the highest number of data breaches was in the form of unintentional disclosure type of attacks. This highlights the importance of employee training.
Other types of data breaches are hacking or malicious attacks, intentional insider attacks and stationary computer loss. Intentional insider and unknown attacks are the least common. In recent years hacking and IT incidents are increasing. This shows the importance of sensitive health information security.
Sensitive data that can be potentially compromised is the data involved in the patient records which can be personal information, medical data, health insurance information, etc. This also includes medical history, medical billing, and medical record numbers.
Other possibilities for compromised data include medical details, health plan member numbers, and patient account numbers. Also, protected information includes dates of birth, prescription data, and clinical test information. Even at first glance unimportant things such as phone numbers and driver’s license numbers are considered sensitive data.
Stolen data from this list may lead to identity theft, abuse of drug prescription information, and others. [1]
Implementing robust authentication protocols
Authentication protocols in cloud-based systems are essential for ensuring secure access to sensitive data and resources. This is why they have to be strong enough to safeguard sensitive information.
Patients may not like cloud-based healthcare systems. This is mainly due to the fear of information breaches. Internet-based tools, however, enable non-stop accessibility and storage of massive amounts of information. Healthcare providers need comprehensive authentication frameworks if they use such technology.
A biometric-based key validation has been a trend for a while. It is successfully implemented for the security of personal gadgets. Unfortunately, it is not applicable in healthcare. It had disastrous results when tested and caused potential threats to patient freedom and data consistency issues. [2]
There are a lot of different schemes and protocols in the literature. In this article, we present one of them. The protocol from the article focuses on mutual authentication and key establishment for Medical Wireless Sensor Networks (MWSNs). They ensure secure data transmission between medical sensors, gateway nodes, and users.
The technology uses elliptic curve cryptography for lightweight encryption. The protocol goes through phases like system setup, user and device registration, authentication, and secure session key generation. Formal verification using Burrows–Abadi–Needham (BAN) logic, confirms its robustness against various security attacks like impersonation, replay, and session key guessing. [3]
The COVID-19 pandemic forced healthcare applications and services to work in the Internet of Things. This led to the need for serious security measures. The PDAC-CoV protocol was developed to form a secure connection between the patients and the healthcare provider in the conditions of a quarantine.
The PDAC-CoV protocol is structured into five phases: Setup, Registration, Login, Verification, and Access Control. In the first phase, the medical server generates system parameters and selects a private key. In the registration phase, the user should obtain a personalized smart card and request a registration in the system.
Then in the login phase, the user can access health data through their smart card. The smart card computes several values, checks the validity of the input, and sends a message to the MS, including a timestamp. After that, in the verification phase, the system verifies the message’s time stamp and checks the authenticity of the user. Then it sends a new timestamp to the user for verification.
Only after the successful authentication, the user can access patient health data. The medical information comes encrypted and it is decrypted after that. The protocol is designed to provide user anonymity. It also resists the server impersonalisation attack and user impersonalisation attack. [4]
Ensuring data encryption at rest and in transit
The access to sensitive health data must be managed through cryptographic techniques. Methods for encryption can be divided into two groups – symmetric and asymmetric encryption.
Symmetric encryption is the method of using the same cryptographic key to encrypt and decrypt data. This method shows faster performance and fewer resources required but is outdated and less secure.
Asymmetric encryption is a technique that uses one public key and one private key. The public key encrypts data, and the private key decrypts it. This is the more reliable method.
Here are some examples for cryptographic techniques that can be implemented in healthcare data transmission and storage:
- The Advanced Encryption Standard (AES) is a symmetric encryption algorithm. It uses data blocks of 128 bits at a time and uses keys of 128, 192, and 256 bits to encrypt these data blocks. This method is used for Wi-Fi security, file encryption, and secure sockets layer/transport layer security (SSL/TLS).
- Rivest-Shamir-Adleman (RSA) is an asymmetric encryption method. This technique is based on the factorization of the product of two large prime numbers. Only the one that knows the two numbers can decrypt it. RSA is often used as a reliable method to secure data transmission.
- Elliptic Curve Cryptography (or ECC) is a cryptographic technique using mathematical formulas to produce efficient cryptographic keys. ECC is an asymmetrical cryptographic technique. This tool allows secure sharing of information. ECC is used in HTTPS websites and emails to secure communications. [5]
The use of data encryption has its benefits in the healthcare industry. It is used mainly for protecting patient information. Data encryption is part of the regulations and standards such as the Health Insurance Portability and Accountability Act – HIPAA. The method prevents cases of data breaches that can have disastrous impact on the healthcare facility. Data encryption also enables secure data sharing and keeps data integrity. [6]
Effective monitoring and auditing procedures
The US Department of Health and Human Services (HHS) defines auditing and monitoring as “an ongoing evaluation process (that) is critical to a successful compliance program”. The proposed Compliance Program Guidance for Hospitals includes several steps such as regular reporting to senior officials, regular, periodic audits by qualified people, and compliance with specific rules and policies.
The monitoring is a responsibility of the managers. They should identify risks and develop internal controls in their facility. On the other hand, the audit must be executed only by objective professionals. The aim of the audit is to determine if the monitoring is adequate and effective. Effectiveness is validated in reducing errors and risks.
Some superiors execute internal audits that do not cancel the external ones. The internal audit aims to do compliance-related reviews and evaluate selected high-risk areas. In that case, they need to decide which areas have the highest priority and if a corrective action will be effective and sustainable. [7]
Developing comprehensive security policies
Effective policy management involves developing, implementing, monitoring, and enforcing cybersecurity policies.
This process requires collaboration and communication among stakeholders and operates at three levels:
- Organizational level – focuses on creating and enforcing policies for internal cybersecurity processes; these are access control and incident response;
- Ecosystem level – coordinates cybersecurity policies between interconnected organizations to manage shared risks through collaborative policy development; these are supply chain and third-party risks;
- Global level – involves cross-sector coordination of cybersecurity policies between interdependent organizations; includes information sharing and collaboration between industry and government to address large-scale risks.
There are few policies regarding the remote patient data monitoring services. The use of encryption for all data transmissions is mandatory. There is a recommendation for implementing password strength and complexity checks. Mobile applications must authenticate the remote patient monitoring platform before uploading data. Last but not least, there should be continuous monitoring for data integrity.
Other rules apply regarding workstations in hospital networks. Recommended policies include email filtering and scanning as well as regular security training of the employees. Moreover, continuous monitoring, updates and evaluation of healthcare data breaches reported should not be underestimated. They are proven to be reliable ways to reduce data breaches.
Cybersecurity is a critical challenge for the healthcare sector because it impacts the security, privacy, and quality of healthcare services. The main source of operational risk is human error, although technological risks are usually associated with software. This is the reason why cybersecurity is as important as employee training and implementation of the industry’s best practices. [8]
Staff training and awareness programs
Staff training includes modules about information privacy and IT security. They provide important insights for security measures and legal obligations around them. Regulatory compliance module of the education focuses on information about HIPAA and General Data Protection Regulation – GDPR, for protecting personal health information.
Cybersecurity awareness involves explanation of common cyberattack techniques and the importance of using strong unique passwords. Training should also cover practices for using secure devices like computers and smartphones. Another important topic is the report of data breaches and immediate actions after incidents.
IT security and privacy training should be a core component of ongoing education for healthcare staff. Regular assessment of these training programs ensures familiarity with available resources and an understanding of IT security risks. A lack of awareness about organizational IT policies and compliance requirements can increase the likelihood of breaches.
Additionally, greater attention should be given to part-time staff. They may not fully grasp or follow IT security protocols, further raising the risk of security incidents. [9]
Leveraging advanced access control mechanisms
Access control mechanisms are techniques and processes used to control and manage access to resources within a system. There are different types of access control mechanisms. Role-based access control (RBAC) is a mechanism that ensures that users only have access to the resources necessary for their job functions. For example, nurses have limited access compared to the doctors’ access.
Discretionary access control (DAC) allows managers to determine different access permissions to different users. Mandatory access control (MAC) mechanism gives permissions on predefined rules and labels. This is used when working with crucial confidential information.
Implementation of access control mechanisms depends on authentication and authorization. Multi-factor authentication is needed for the control to be effective. Choosing the appropriate access control model is extremely important. This is how developers can reduce the risks of violation of the system’s integrity. [10]
Conducting regular security risk assessments
HIPAA is the legal guide for working with patient information. It covers every aspect of risk assessment associated with healthcare.
The goal of a HIPAA security risk assessment is to ensure compliance with the HIPAA Security Rule. It safeguards the electronic protected health information (ePHI). Risk assessment ensures the confidentiality, integrity, and availability of ePHI. It protects against threats, hazards, or unauthorized access.
HIPAA breach risk assessment covers the unauthorized acquisition of PHI including this in electronic health records. It helps determine whether a breach requires notification. Although organizations can skip the assessment and notify every breach, this may lead to business disruption.
HIPAA privacy risk assessment requires appointing a Privacy Officer to review organizational workflows. This person must map the flow of PHI and conduct a gap analysis to identify potential breach points. After that follows the development and implementation of a privacy compliance program. [11]
Mitigating insider threats
Minimizing insider threats has proved to become more and more important. This means that the healthcare industry should find ways to reduce these incidents.
First, zero-trust principles must be implemented. All login rights must be specified according to the role of the user. Every employee and operation must be verified.
Additionally, RBAC is suitable in the context of the health industry. It gives flexibility for both the user and the manager. It also reduces the risk of careless user behavior. Enforcement of a strong access policy is crucial. Strong policies include implementing multi-factor authentication. This is the gold standard for access requests and identity verification.
Insider threats may decrease with employee education. Regular cybersecurity training and awareness programs make workers more cautious about sharing information. This makes them less likely to fall victim to social engineering. [12]
Streamlining incident response procedures
Key incident response best practices must be implemented to help organizations minimize downtime and manage incidents more efficiently. Managers should maintain a centralized document with critical information like incident response plans, escalation policies, and others.
Work teams should have access to clear, well-maintained runbooks. The runbooks provide step-by-step instructions for various incident scenarios. Alert management can be streamlined through automation tools. This reduces human error and delays.
Monitoring systems work to help prevent diagnosis delays. They provide technical details to speed up solutions. Transparent communication is crucial for incident resolutions. Learning from failure is also important. Focus on learning and improving rather than blaming during post-incident reviews. [13]
Discover how we can help outsource Healthcare projects efficiently Speak to an expert today, and see how our on-demand IT talent and augmented teams can efficiently deliver value at every step of your roadmap.
Compliance with regulatory standards
Maintenance of healthcare regulatory compliance is hard work. It involves meeting the requirements of federal, state, local, and industry regulations. It is essential for demonstrating good faith.
Healthcare organizations must comply with a variety of regulations. One of them is HIPAA that establishes rules for protection of PHI. Medicare and Medicaid Conditions of Participation sets regulations on care standards.
OIG exclusions list prohibits engaging individuals or organizations found guilty of fraud or misconduct. EMTALA ensures emergency medical treatment for all individuals and prevents patient dumping. FDA regulations oversee the safety of drugs and medical devices.
The healthcare system faces numerous compliance challenges. It should receive constant updates on the regulations and train its workers additionally. To manage this complexity, healthcare organizations can leverage customizable compliance software. They identify risks, develop action plans, etc. By doing this they allow effective healthcare regulatory compliance with safeguard of the patient information. [14]
In conclusion, healthcare data breach prevention requires a comprehensive approach. First of all, it is important to be aware of the current threat environment. Second, strong authentication mechanisms and data encryption are critical for securing sensitive data. Third, security monitoring, policies, and user awareness training are necessary to strengthen the security posture.
Moreover, specialized rapid-action strategies are put in place in the event of a breach to control potential damage. The measures mentioned above aim at significantly reducing the risk of data breaches and maintaining patient trust.
Sources
[1] Seh AH, Zarour M, Alenezi M, Sarkar AK, Agrawal A, Kumar R, Khan RA. Healthcare Data Breaches: Insights and Implications. Healthcare (Basel). 2020 May 13;8(2):133. doi: 10.3390/healthcare8020133. PMID: 32414183; PMCID: PMC7349636.
[2] Abbasi IA, Jan SU, Alqahtani AS, Khan AS, Algarni F. A lightweight and robust authentication scheme for the healthcare system using public cloud server. PLoS One. 2024 Jan 30;19(1):e0294429. doi: 10.1371/journal.pone.0294429. PMID: 38289970; PMCID: PMC10826970.
[3] Venkatasamy Sureshkumar, Ruhul Amin, V.R. Vijaykumar, S. Raja Sekar, Robust secure communication protocol for smart healthcare system with FPGA implementation, Future Generation Computer Systems, Volume 100, 2019, Pages 938-951, ISSN 0167-739X, https://doi.org/10.1016/j.future.2019.05.058. (https://www.sciencedirect.com/science/article/pii/S0167739X18332448)
[4] Gupta DS, Mazumdar N, Nag A, Singh JP. Secure data authentication and access control protocol for industrial healthcare system. J Ambient Intell Humaniz Comput. 2023;14(5):4853-4864. doi: 10.1007/s12652-022-04370-2. Epub 2023 Jan 13. PMID: 36684481; PMCID: PMC9838518.
[5] https://www.getapp.com/resources/common-encryption-methods/
[6] https://research.aimultiple.com/data-encryption-in-healthcare/
[7] https://www.compliance.com/resources/auditing-and-monitoring-how-to-get-it-done/
[8] Luidold C, Jungbauer C. Cybersecurity policy framework requirements for the establishment of highly interoperable and interconnected health data spaces. Front Med (Lausanne). 2024 May 9;11:1379852. doi: 10.3389/fmed.2024.1379852. PMID: 38784226; PMCID: PMC11111971.
[9] Arain MA, Tarraf R, Ahmad A. Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization. J Multidiscip Healthc. 2019 Jan 9;12:73-81. doi: 10.2147/JMDH.S183275. PMID: 30666123; PMCID: PMC6331063.
[10] https://www.forestadmin.com/blog/access-control-mechanisms/
[11] https://www.hipaajournal.com/hipaa-risk-assessment/
[13] https://www.atlassian.com/incident-management/incident-response/best-practices#one-more-thing
[14] https://www.hipaajournal.com/healthcare-regulatory-compliance/
