Healthcare information security

Hospital Security

Aroosa Ashraf
September 27, 2016 by
Aroosa Ashraf

Data breaches are major threats to hospital security that come in various forms. They include cases involving criminal hackers wanting to steal the protected health care data, a form of medical identity theft. In other instances, a health worker can view the patient records without authorization.

Although the outcomes and the motives of the above to data breaches are markedly different, they have one thing in common: Both can become highly costly to the providers. These breaches may result in loss of reputation and trust of patients, in addition to compliances expenses and potential fines through HIPAA.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Data breaches in the healthcare system are increasing at an alarming rate and are becoming quite widespread. Therefore, hospitals, clinics, and other health care organizations have to become more careful regarding protection of sensitive information of patients, financial matters or other important data.

Hospital and clinic security can be enhanced through the use of smart technologies, educating the employees, and increasing the physical security of the buildings.

How Do I Implement Confidentiality, Integrity, and Availability in Everyday Tasks

In recent years, governments, researchers, and healthcare professionals are taking a key interest in patient safety around the world. Several studies have been carried out in the last decade to assess the patient safety situation in hospitals and to monitor the effectiveness of the different methods adopted to enhance patient safety. Confidentiality, integrity, and availability (CIA) are the three basic concepts of security concerning computer systems.


Loss of confidentiality takes place when unauthorized access to information is made (read or copied) by individuals not authorized to access that information. Confidentiality is a vital attribute for information such as medical, research, or insurance data, the specification of new products, or strategies of corporate investment. Confidentiality of information can be compromised when it is shared or present on an insecure network. Confidentiality can be achieved by using access control and authentication techniques.


Integrity is important, especially regarding the critical safety of financial information used for actions, including financial accounting, air traffic control systems, and electronic funds transfers. Loss of integrity can result in information being inaccessible or erased, thus being unavailable to the people authorized to get it when needed. Loss of integrity results from unexpected modification of information. Loss of integrity takes place when unauthorized alterations of information are made, either through intentional tampering or human error.


Availability can be regarded as the most vital attribute in business related to information-dependent service (such as airline schedules or online inventory systems). For those types of business, network availability itself becomes the most important aspect as the business depends highly on network connections. A service denial is experienced by the users when they try to gain access to the specific network or services granted on a particular network.

Improving Security

To protect the vulnerabilities mentioned above (i.e., "CIA"), you need to improve the security of the system. Improved security comes with a flexible defense mechanism that allows adaptation and changing strategy with the changing environment. It should also have defined procedures and policies, constant vigilance, and the use of robust tools. Determining of the current status of security always helps in making the desired improvements to the security program. Some of the useful methods and processes of building a security system are as follows:

  • Cryptography: Cryptography can secure the CIA of data resources as it prevents the intruder from using the captured data. Even after getting the data, the intruder will not be able to read or comprehend the information.
  • Encryption and Decryption:  Encryption is a way of translating the data into an incomprehensible encoded form (known as ciphertext) from its native form (known as plaintext). The reverse process, decryption, converts the ciphertext into plaintext. All types of data can be encrypted if necessary, including digitized sounds and images. Thus, through cryptography information gets secured as it protects the confidentiality of the data. It may be used to protect the authenticity and integrity of information.

Checksums: These are used for the verification of the integrity of the data. It prevents undetected modification of data and thus can be used to determine whether the information is correct. Similarly, the authenticity of information may also be protected. The checksum also ensures non-denial as the person who once placed a cryptographic digital signature on any of the electronic document cannot deny it in the future, since only they could have produced the right signature.

  • DES: the Data Encryption Standard is regarded worldwide as the standard of encryption for over a decade. DES utilizes the algorithmic system to encrypt and decrypt a specific block of information. The benefit of using an algorithm is that the same 64-bit key is used to both encrypt and decrypt the data. Moreover, the process is faster, as it only uses logical operations irrespective of implementation in hardware or software. However, there is concern regarding the safety issue of DES and initial key selection is critical.

What Are Best Practices

Providing hospital security is different and more challenging than arranging security in other sectors. This is because hospital industry is highly information-intensive and requires extensive human interference that calls for more human error. Moreover, health professionals usually lack cyber-security knowledge and training compared to other tech-savvy industries. Arranging cyber-security in hospital settings is cost-intensive, and it is often difficult for smaller hospitals to invest in the initial setup cost. However, these smaller hospitals can manage the cost burden by outsourcing most of the high-end cyber-security protocols. Some of the best practices for hospital data security are:

Network Protection

Hackers use various methods to break into the networks of healthcare organizations; a variety of tools should be used to defend against their attacks. Hospitals and clinics usually spend a lot of money on perimeter security, like installing antivirus and firewalls. However, experts’ warnings are that healthcare organizations must focus on adopting technologies that help in limiting damages in case of an attack. Therefore, techniques including network segregation (the intruder will not get access to all the information stored at the organization in one place) should be considered.

Education of Staff Members

It is often observed that employees are often involved in the data breaches of healthcare organizations. This may be due to negligence or lack of knowledge. Hospital security involves building awareness to health workers at every level, including researchers, administrators, front desk workers, medics (laboratory technicians, nurses, consultant and social workers), transcriptionists, handlers of medical claims to IT, and technical staffs. The human touch point remains the most vulnerable point of hospital security and the work chain in a hospital is impossible to complete without human interventions at various levels. This calls for increasing security awareness of every healthcare professional in order to maintain adequate hospital security and to generate a security culture. Thus, employee education on hospital security training to make them aware of the possible avenues of data breaches is essential, such as:

  • Training on HIPAA violations
  • Educating them to avoid social engineering, phishing or other employee targeted attacks
  • Guidance on choosing the right passwords that are secured

Encrypting Portable Devices

It has been observed lately that data breaches have often occurred through portable devices, such as portable storage or computing devices containing important health information. Therefore, healthcare organizations must encrypt all the portable devices that contain patient information (USB drives, laptops, tablets, or smartphones) from which data can be stolen. It is also advisable to maintain a stringent policy against information transport to any unencrypted personal devices.

Securing Wireless Networks

The reliance on office wireless networks by using routers is increasing in every organization. The sad part is that these networks are often seen to be vulnerable to attacks. For example, information can be stolen by the hacker present at the parking area. The threat increases when the organizations are using outdated technology that uses outdated security standards.

To protect themselves against such attacks, health care organizations should develop their own routers and keep all the components up to date, secure the network password, frequently change the network password, and block unauthorized devices trying to access the network.

Physical Security Control Implementation

Although electronic healthcare records are becoming more common, hospitals or clinics there is still sensitive information kept on paper in hospitals and clinics. Thus, hospital security services should ensure that the file cabinets and doors are properly locked when unattended; in addition, security cameras and other adequate physical security controls should be installed.

Organizations must secure the IT server room physically by locking the room, using cable locks or other means to attach the laptops/desktops to the office furniture.

Having a Policy for Mobile Devices

As healthcare employees are getting more used to performing their work through personal devices, it is important for the organization to keep a strict policy for such devices (what data can be stored, what apps or software can be installed or kept). Organizations can use mobile device management software to ensure the use of such policies in practice.

Deleting Unnecessary Information

Reducing data load is essential. More data means more information for the hackers to steal, so organizations should maintain a specific policy that mandates the deletion of unnecessary patient information. The process also helps as a regular audit of information gives the organization a clear idea of the data stored in the system.

Scrutinize Third-Party Security

The trend of cloud computing is increasing steadily along with the use of mobile devices. These technologies enable smaller organizations to use similar technologies as their bigger counterparts by reducing the upfront costs required to deploy such infrastructure.

However, the risk of data breaches increases as important patient information goes to or through third parties. Thus, it is necessary to evaluate the security measures taken by the contracted third parties to keep the information safe.

Patch the Electronic Medical Devices

Healthcare organizations face an additional threat from the electronic medical devices in use (monitoring tools, pacemakers, etc.), as hackers often target these devices. The IT department of health care organizations should, therefore, patch the software used in these devices and keep it up to date in order to minimize the chance of potential attacks.

Make an Effective Breach Response Plan

It is likely that an organization will face a security breach at some point in time. Therefore, it is critical to have a clear plan to counter the situation if any such breach does take place.

What Is Clinical Risk Management?

Clinical risk management (CRM) is critical in improving the quality and ensuring safer delivery of healthcare through the introduction of systems identifying and preventing situations that may put patients at any form of risk or harm. Therefore, every healthcare service is required to implement clinical risk management systems that are locally based and to regularly monitor the existing clinical risk management systems. Implementation of consistent incident management review processes is also required for the best practice of clinical governance policy.

How Do I Determine if I Am at Risk?

There is always concern about managing digitalized healthcare information. There are many past instances of data breaches in hospitals and clinics, and the numbers are increasing. Thus, it is vital to understand the procedures to conceal sensitive patient information from the attackers and also the steps to be taken in case a data breach does occur. Using outdated technology and tools, employees not having hospital security training, the inadequate presence of physical security, not using secured networks, keeping a huge data load, not having a strict data breach policy or effective breach response plans suggest that you are at risk of data breaches.

These are indeed valid concerns, as medical data breach can lead to identity theft and the organizations can face legal compliances resulting in loss of reputation and patient trust as well as HIPAA fines. Take help from specialized hospital security services and get your hospital security certification.

How Can I Prevent a Breach

Here are some basic steps to be taken to prevent data breaches of the electronic healthcare information:

Enhancing Administrative Control

  • Regularly update policies and data security processes
  • Educate employees through strict training processes on privacy and security
  • Always do thorough background checks on all employees

Monitoring Physical and System Access

  • Create systems that are physically inaccessible to stop unauthorized access
  • Have provisions for restoration and recovery of data
  • Require all system users to go through verification or identification protocol
  • Regularly access and scrutinize the authorized users
  • Install secured passwords and PINs (personal identification numbers)
  • Supply automatic software shutdown in case of security threat

Identifying the Usage in Workstations

  • Install privacy filters In each workstation
  • Differentiate between the workstations based on different capabilities

Regular Monitoring of System Users

  • Spot any possible system weakness
  • Detect any attempt to breach security or actual breach of the system
  • Regularly audit the authorized users
  • Maintain strict policies and punishments for employees who are found not following the recommended compliance guidelines

Installing Devices and Employing Media Control

  • Make a proper security plan to dispose of unwanted data
  • Remove essential information from hardware that can be reused
  • Track every piece of hardware that is reprocessed
  • Always keep backups of all the information from every piece of hardware

Applying Data Encryption

  • Perform data encryption to make data unreadable to potential attackers (cryptography)


Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Dückers, Michel, et al. Safety and risk management in hospitals. Health Foundation, 2009.

Aroosa Ashraf
Aroosa Ashraf

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.