Healthcare information security

IS Best Practices for Healthcare

Aroosa Ashraf
September 27, 2016 by
Aroosa Ashraf

Healthcare professionals do not usually link data security with patient safety. However, when a patient enters a hospital, it becomes the responsibility of the health organizations to secure that patient's health information. Improper handling of sensitive patient information such as DOB, credit card information, address, and private medical records can put patients, healthcare organizations, and health professionals at risk.

In recent years, more data breaches were experienced by the health care than other industries. This rise in healthcare data breaches makes it necessary for healthcare professionals to take their patients’ security and privacy matters seriously. A simple lapse in security by a single employee can lead to a data breach, putting both the hospital and the patient at high risk.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

In these circumstances, it is becoming essential to proactively follow certain best practices in healthcare organizations to help improve the healthcare data security. These include the use of security tools and technologies such as encryption, as well as robust policies, strategies of data flow, and security awareness programs for health professionals, so they understand the risks involved in carrying and transferring patient data. It is important to make privacy and security of patient data a primary goal for all the health workers and administrators. Health workers must not discriminate while respecting the patient health information and patient's physical health.

Certain Best Practices in Healthcare Organizations to Protect PHI

Although the risks of data breaches in the healthcare sector are increasing, the healthcare organizations should consider following some key steps to improve the overall security and privacy of PHI. These are:

Network Protection

As cyber-attackers have various ways of breaching the healthcare organization's network, the healthcare IT departments need to use various updated technologies and tools to minimize security threats. However, most hospitals give maximum importance to perimeter security (such as antivirus software and firewalls) but limited attention to adopting technologies that may minimize the damage in incidents of data breaches (such as segregating networks). It is wise to take advice and help from leading companies providing network protection/security against malicious attacks. One of the leading companies is root9B Technologies, a leading cyber-security provider that also offers solutions for regulatory risk mitigation. They have provided long-term strategic planning and immediate tactical problem-solving capability to clients ranging from big Fortune 100 groups to mid-sized and individually managed companies across the industries.

Educating Health Workers

Employees are frequently involved in incidents of healthcare data breaches. The lack of security knowledge is often responsible for such negligence. Thus employee education should be the focus area for every healthcare organization to improve patient data security. Security awareness program should include social engineering, training on HIPAA violation, lessons on avoiding phishing and other important aspects, such as creating secure passwords. At the same time, the healthcare organization should implement updated technology to help detect mistakes and breaches in privacy and security of patient data. It is vital to supplement the education of health workers (updating them with security policies) with improved technology (blocking the use of USB devices, personal e-mails, and Dropbox accounts at the workplace). Healthcare organizations must consider security awareness of healthcare workers as a continuing process to be repeated regularly. Every employee must go through a routine security awareness program before joining duty in any healthcare organization. Getting help from managed network security solutions providers such as Secure IQ is a good option. Secure IQ has more than 10 years of experience in monitoring and intercepting security threats in some leading carrier networks of the world. It works efficiently in global and local networks with the scalable software and hardware design, ease of use, and advanced security features. They have a dedicated team of experts for designing and creating network security software to eradicate any possible security threats while providing security and stability.

Encryption of Portable Devices

Encryption all electronic devices that contain important patient information, such as portable USB drives, smart phones, tablets, and laptops, is essential, as these devices are probable data breach points. Keeping a strictly non-negotiable policy against carrying data on an unencrypted personal device is also necessary. Major things to be looked after are the anti-virus programs, passwords, and firewalls. For example, a company like GFI EndPointSecurity encrypts all the data on the device whenever users connect to the network with unencrypted data. Employees are required to give a password before that information can be accessed.

Securing wireless Networks

Wireless networks are useful and user-friendly but, unfortunately, those networks are often vulnerable points in data security. Sensitive patient information can easily be stolen by hackers using those networks even from the parking lot of the healthcare organizations. These networks further become vulnerable when the organizations use outdated technology to protect them. Maintaining updated security technologies for these networks is urgent to avoid data breaches in hospital settings. A notable example is AirWatch, the leading company offering security for wireless networks with over 16,000 customers across 150 countries. They have 1800 employees in nine offices and more than 600 R&D resources.

Having Ample Physical Security

Although electronic health records are becoming more common, healthcare organizations still keep much sensitive patient information on paper. Therefore, healthcare providers should ensure proper locking of file cabinets and doors as well as other means of physical security controls, such as cameras. Additionally, IT equipment should be physically secured through locking the server rooms and using suitable means (cable locks) to secure desktop computers and laptops with the office furniture. Giving security responsibilities to trusted agencies, such as AlliedUniversal, that have highly trained security officers for healthcare needs is a wise idea. The company has security officers adapt to the culture and values of healthcare facilities with unparalleled customer service as well as proactive and experienced skills for providing security.

Having a Policy for Mobile Devices

Use of personal devices at the workplace in the healthcare sector is increasingly calling for the creation of proper policies for the use of personal devices at work by the health workers. The policy should govern the type of data to be stored on personal devices and apps that can be installed. To implement those policies, healthcare organizations may take help of mobile device management software. Equipping the personal mobile devices with remote-wipe applications that can erase data in case the device got stolen is a good idea.

Deleting Unwanted Data

The more patient information stored in a healthcare organization, the more data is there for the cyber-attackers to steal. Thus, it is necessary to have a policy authorizing the deletion of unwanted patient records and other data in the healthcare organizations. Organizations should maintain a regular data storage audit to help check the unwanted information to be deleted.

Monitoring Security of Third Parties

After mobile devices of employees, cloud computing has become the next major security threat in recent years. Smaller healthcare organizations usually take advantage of cloud-based services that offer technologies similar to those used by the bigger organizations (competitors). Use of cloud-based services lowers the up-front expenses needed to deploy such systems. However, putting sensitive information in the third party’s hands also generates a new type of risk of data breaches. Therefore, it is essential for the healthcare organizations to monitor and assess the security provided by the third parties handling such important patient information. ObserveIt is a good example of companies providing monitoring security of third parties. The company allows industries to hold third-party vendors accountable for their lapses. At the same time, it allows other important monitoring activities such as billing verification of third-party vendors and the amount of time they spent on company servers.

Securing Electronic Medical Devices

Electronic medical devices such as monitoring tools, pacemakers and other similar devices can be breached by the hackers as well, so patching these devices is necessary to secure the software of these devices. The software must be kept up-to-date to minimize its susceptibility to malicious attacks. A developing example is the Cisco Compliance, a trusted company for providing medical device management solutions. They facilitate security, regulatory compliance, and device connectivity to enhance the medical device data management and integration. They provide a secured open environment and reduce the healthcare cost while increasing productivity through secures access to network resources.

Having a Specific Response Plan to Data Breaches

It is quite likely that at some point a healthcare organization will face incidents of patient data breaches. Therefore, it is critical to have a plan of action in case of such breaches.

Conducting Risk Assessments Regularly

No healthcare organization should overlook risk assessment, as it is required by HIPAA. In healthcare settings, there are different ways for data to flow in and out of EMR, creating many vulnerable points. Healthcare professionals thus need to have a special awareness of the data flow in healthcare organizations. The data flow may include the use and transfer of patient information and where it leaves the healthcare organization. Risk assessment can critically identify the potential data flow risks. The proper information protection depends on how it is used and who requires it. A good example is presented by the cyber-risk assessments from Kroll that deliver actionable recommendations for improvement in company security. It uses the best practices and technologies available in industry to assess security status.

Upgrading Tools for Data Loss Protection

Information sharing can take place in different ways, including by emails, on a USB, person to person, through hard copies, or on social networking sites. Healthcare organizations must upgrade and buy data protection technologies to help monitor every possible touch point during data transfer. Outdated technologies are the most vulnerable points of data protection and result in increased data breach risks.

Learning from Past Data Breaches in Healthcare Organizations

Many healthcare organizations struggle with inexperience in data security. Healthcare organizations will gain more from experiences in addressing complex problems. Learning from past data breaches in healthcare industries is a good way to gain experience even before getting attacked by the hackers. It is critical and essential to learn from previous incidents of data breaches in other industries including healthcare organizations.

It is critical to remain aware of the security threats associated with stolen and lost electronic devices, as most data breaches happen due to such instances, even though new types of threats are emerging every day. Healthcare organizations should ensure the health workers know the necessary steps to take in instances of lost or stolen devices and have a response plan to verify whether those devices contain any sensitive patient data.


Various types of data breaches have affected the healthcare industry. Healthcare data breaches can include medical identity theft by criminal hackers stealing protected health information or occasions where health workers view patient records without authorization. While the motives of these two types of security breaches are different, they have similar outcomes. Both the above-mentioned data breaches can become very costly for the healthcare organizations. In addition, healthcare organizations may suffer reputational damage and the loss of patient faith, along with the potential HIPAA fines.

Healthcare data breaches are becoming more and more frequent, with most of the recent data breaches having taken place in healthcare organizations compared to other sectors. Previously, stealing healthcare data was complicated due to the sheer physical volume. But, with the advent of technologies that transferred patient information into soft copies, stealing such data became easier. Now huge amounts of data can be stored in USB ports as well as in commercial cloud storage that can be breached by cyber-criminals. Often, unexpected reasons cause healthcare data breaches and even organizations that have all the necessary risk assessments and have implement security protocols and tools experience data breaches.

Therefore, every healthcare organization needs to be cautious and careful regarding securing the patient health information with other sensitive patient information and financial data. It requires a mix of physical security of healthcare premises, smart use of technology and education of health workers to minimize incidences of data breaches.


Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Aroosa Ashraf
Aroosa Ashraf

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.