data security digital revolution and HIPAA
Frenemies in Healthcare: Data Security, Digital Revolution, and HIPAA
October 30, 2015
doctoron call electronic communication in HIPAA world
Doctor on Call: Electronic Communication in HIPAA World
November 10, 2015
Show all

10 Ways to Address Data Security Challenges in Healthcare

data security challenges in healthcare-

Digital health has empowered us to manage and monitor our well-being. At the same time, it has generated new challenges for health care organizations that care about data security and privacy.

healthcare organizations face unique security challenges

Continuous shift  to cloud computing, digital patient records, cumbersome  regulatory requirements, and need for real time communication between patients, providers and payers, put a spotlight on data security. Tackling the issue of data security involves understanding applicable threats, aligning appropriate layers of defense and continual monitoring of activity logs. Let’s look at the 10 ways which may help alleviate some of the challenges that a healthcare organization faces :

data classification1. Classification of data

Classifying any given data into confidential, internal, and public categories could help in protecting and release of data. To protect the confidentiality of patients, the data owners must satisfy two opposing objectives: the privacy of individuals and usability of released data.Clear classification provides criteria by which employees can decide whether they should be sharing information with a partner organization or not.Only public information should be permitted to be accessed by outsiders.

strong data encryption

2. Use of strong data encryption

Data breaches could cost the healthcare industry as a whole $6 billion each year, according to a Ponemon Institute report. Therefore, any PHI data that is being stored, whether on your desktop, on a server or in the cloud, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decrypt it. Encryption should be end-to end, at least 128-bit, and the key should not be stored on the server.

two-factor authentication  3.  Multi-factor authentication

Without multi-factor authentication, any hacker can access your data easily. No single password, after all, can protect your data sufficiently. Apart from providing a password, there should be additional levels of security such as the use of biometrics for verification of individuals.  Security measures should be both logical (authorization, authentication, encryption and passwords) and physical (restricted access and locks on server, storage and networking cabinets) . One time passkeys, which are used by banking services, can also provide additional security.

secure file sharing

4. Validate file-sharing activities

According to a Healthcare Insights Study, clinicians use an average of 6.4 different mobile devices in a day, highlighting the need for file transfer security across all smartphones, tablets and devices. Within the past year, 78% of healthcare organization breaches were due to web-borne malware attacks. Since the data is being stored on a cloud and can be hacked, it is necessary to know  who sent and accessed files, when and where were the files accessed, and the status of each download.  By tracking and validating file-share activities, one can find out whether PHI has been compromised.

common support platform

5. A common support platform

For promoting effective communications with patients and other external institutes, healthcare organization should enable employees to share  information with their peers over a monitored and secure platform.This ensures tighter control over PHI and discourages use of open and public file sharing services(i.e. Dropbox, Google Docs) to share data.

Monitor devices and records6. Monitor devices and records

Electronic devices and/or paper records should not be left unattended. More often than not, data breaches occur due to theft of such items from a home, an office or a vehicle. While it is IT’s job to safeguard patient information, employees should be reminded to do their part in keeping data safe as well. All USB drives, external hardwares should again be encrypted. There can also be a list of approved IP addresses to control where devices and applications can be used.

data security 7.  Awareness about data storage

A person or an organization should know about data centers, who all have access, any clause in the back-end service along with the individual’s rights and assurances by law of the land. The end user should also be well aware of the data stored, its location, and who else can access that data.


train all healthcare staff 8.Train all staff

Unintentional data leakage is mainly caused by insiders who may not be aware of the risks. This includes, for example, putting sensitive files on an external platform such as Dropbox, emailing it to a personal account,etc. Entire staff and not just the IT Department should be trained and monitored for any non-compliance and educated to avoid any future errors.

review the medical data security9. Review the compliance and security practices of business associates

Lay down ground rules for HIPAA compliance, including a mutual obligation to encrypt any shared PHI, and ensure that the business associate can’t pass PHI from patients on to subcontractors without a person’s approval.

penetration testing overview10. Conduct more frequent assessments and penetration testing

The threat from hackers has the potential to ruin the healthcare industry, and the risk is ever increasing. Personal health records are high value targets for cyber criminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. A quarterly or yearly test schedule should be conducted so that the organization can compare results and see what has been fixed, what  has not been fixed, and to look into the newer vulnerabilities that may have arisen.

Healthcare firms must strengthen their security guidelines and comply with data privacy requirements. What is needed to begin with is an inventory of protected data, along with the proper record of where the data originated, and to whom it  was forwarded. Doctors and hospitals need to strike a balance between being able to access and share critical patient data while also keeping electronic health records secure. Even as it is necessary to create awareness among individuals,  if health care organizations truly care about data security and privacy,  they need to invest money and time in emerging technologies.


Subscribe to Vigyanix Blog

Join 1000+ fellow healthcare professionals! Get Vigyanix' latest healthcare articles straight to your inbox.

Leave a Reply

Your email address will not be published. Required fields are marked *