We've discussed the data security concerns facing healthcare institutions previously, and the three main categories of data at issue are data at rest, data in transit, and the safe disposal of data no longer necessary for business operations. The majority of our focus has been on data at rest, the cyber security needs of an expanded network featuring connected medical devices, and other potential sources of network compromise like endpoint devices or hazards during the vendor risk management life cycle.
Now, it's time that we address secure communication and the necessity of protecting patient health information in transit. These methods of communication can be called encrypted channels, and before delving into how you can most efficiently protect these encrypted channels in healthcare organizations, it's important that we delineate the primary types of communications that you must ensure are being secured.
Types of Secure Communication
There are three major areas within healthcare communications that we need to look at securing. They are internal communications within healthcare organizations, provider to provider communications, and provider to patient communications.
Internal Communications
Internal communication is defined as any communication between staff members, departments, or other divisions within your organization. This means internal emails, messaging systems like Slack or Teams, or shared databases and calendars. Any of these may prove to be a source of protected health information and therefore subject to protection under HIPAA, GDPR, CCPA, or another data security regulation.
Provider to Patient Communication
As a whole, society is moving further and further away from face to face communication methods and more towards electronic communication for all manner of things. Patients' health information is increasingly being provided to them through patient portals, secure email, and other impersonal means. While this may be a matter of convenience for both patient and provider, the data stored within those communications is without a doubt protected health information and must remain secure and free from unauthorized access or disclosure. The increase in popularity of telehealth also is a factor in secure patient to provider communication standards.
Provider to Provider Communication
The lifeblood of the American healthcare network is provider to provider communication. From coordinating treatment to reporting lab or testing results, the amount of information passing back and forth between different providers and healthcare organizations is staggering. It's for reasons like this that protecting encrypted channels in healthcare organizations is so essential. The sheer quantity of information in transit is an attractive target to cyber criminals and nowhere is that more in evidence than provider to provider channels.
Increasing Communication Security
Now that we've defined the areas in which our security concerns should be focused, how exactly should you go about better protecting encrypted channels in the healthcare field? The following best practices will help you prevent unauthorized access to your patients' health information.
Managing Consent
The absolute first step in protecting your patients' health information is to verify that you have their consent to release that information to the specified party in the first place. Whether you're seeking consent to release data stored to the patient electronically or looking to advise other healthcare providers of the progress of their treatment, informed consent is necessary, and it should be specific, retained for the length required, and renewed or updated as necessary.
Data Encryption
Data stored should be encrypted at rest; the challenge is transmitting that data without it getting lost or stolen and then ensuring that it's usable with the receiver possessing the correct decryption key. The first consideration for encryption is making sure that the highest levels of encryption are being used. AES-256 or RSA-2048 are both common advanced encryption methods that are sufficient for use in compliance with HIPAA and other regulatory standards. This encryption should be applied to all email servers and messaging applications both internal and external that will be transmitting any electronic patient health information.
Education and Training
Human error is one of the leading causes of lost or stolen protected health information, and one of the most effective ways to combat those errors is to properly educate all members of your staff and provide them with regular training to reinforce that education. This training should encompass both standard cyber security practices as well as ongoing training on regulatory compliance and applicable standards. When your employees understand the reasoning behind your policies and procedures, it increases the likelihood that they will not only comply with them but also have more of a vested interest in your cyber security strategy.
Mobile Device Concerns
Mobile devices are increasingly used to store, access, and transmit sensitive data and patient health information. This means that data security measures must also be applied equally to these mobile devices as well. Enabling strong passwords with two factor authentication or even biometric security features should be your first step. Next, any transmission of protected health information should be outright prohibited if the mobile devices are connected to an unsecured public wifi network.
Finally, security applications with remote wipe capabilities must be installed on every mobile device to make sure that lost or stolen devices can't be used by bad actors to gain unauthorized access to patients' health data stored within the devices. Protecting encrypted channels in healthcare organizations is virtually impossible if you are unable to secure the endpoints of the channels themselves.
Secure Mobile Device Applications
An added benefit of mobile devices is that there are multiple available software applications that provide end to end encryption services in a secure messaging platform. This adds a secondary means of communication besides email for your personnel to be able to communicate sensitive data and protected health information. If you select the proper program, only the recipient possesses the proper decryption key to decode the encrypted message. Not even data breaches of the software manufacturer or other third parties would provide useable information to cyber attackers. While mobile devices certainly present challenges to cyber security staff, they also provide unique solutions to other communications difficulties.
Third Party Vendors
When your enterprise contracts with third party vendors, do you delineate liability in the event of data breaches to any party? Who bears the responsibility for breaches to your vendors' third parties? If you are failing to lock down those terms during your contracting phase with your vendors, then you are leaving a lot up to chance and even more up to the whims of civil court judges and juries. Especially if those vendors are going to have access to any part of your communication pipeline, you must also make sure that they're maintaining compliance with HIPAA as well.
Protecting encrypted channels in healthcare organizations may seem like something that medical professionals should be well aware of. At Venture Lynk Risk Management, we understand that your areas of expertise may not exactly overlap with the risk profile facing your enterprise. Whether your concerns are cyber security, vendor management, intellectual property risk management, or even operational risk management, we have teams of experts who can give you peace of mind by using their experience to protect your business while you use your own talents where they are best suited. Contact us today to schedule your consultation and see just how we can help you better secure your organization.