Decrypted | Insights from Virtru to Unlock New Ideas

Healthcare Data Security - The 5 Biggest Challenges Today

Written by Editorial Team | Dec 26, 2014 10:47:44 AM

Healthcare has changed tremendously in the past few years, and the progress that’s being made seems straight from the pages of a sci-fi novel. For instance, the Human Genome Project finished mapping out human DNA just over a decade ago, and now individuals can perform affordable at-home genetic testing. Not too long ago, health records were kept in thick manila folders, and now many patients access their medical histories and test results via online portals.

Although this abundance and availability of data is great for patients, it’s even better for hackers.

As the healthcare industry evolves with new technology and legislation, the security threat to our most personal data is also changing. Here are five of the biggest healthcare data security challenges in the new digital age:

1. Health information exchanges and electronic health records

United States lawmakers love nothing more than a good acronym. As part of 2009’s Recovery Act, legislators passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH encourages healthcare providers to adopt electronic health records (EHRs) for patients and health information exchanges (HIEs) to help doctors share patient data.HIEs make a ton of sense to any patient who has had to fax blood work from their primary care doctor to, say, their gastroenterologist (it’s frankly incredible that the fax machine has survived into 2015.) That said, a network that stores large quantities of medical data shared between multiple providers creates a tempting opportunity for data thieves. Where once, you might have had to break into a doctor’s office and flip through physical files to access a person’s medical history, now all you need is a lack of moral compunction and some hacking know-how.While HITECH provides incentives for EHR and HIE adoption, it also expands a patient’s privacy rights under HIPAA, and creates a new burden for providers to maintain compliance and healthcare data security. For example, providers are required to notify patients any time there is a breach of “unsecured” (read: unencrypted) patient health information (PHI). As healthcare data makes its rapid migration into the digital realm, encryption is becoming the law of the land.

2. User error in technology adoption

Another healthcare data security hazard of EHRs is simple patient user error. Once accessing your lab work from your provider’s portal, your medical privacy is in your hands. If you store your data in unencrypted folders in the cloud, or if you send your results to your mom via email, you pave a simple pathway for a hacker to access your most personal data.While providers are bound by HIPAA requirements, users aren’t usually quite as cautious. Make sure you’re following healthcare data security best practices, like being mindful of what you store where and using strong encryption wherever possible, including your emails.

3. Hackers and the rise of “hacktivism”

Nothing is sacred in the realm of data theft, as shown by the CHS Heartbleed attack. Earlier this year, hackers broke into the databases of Community Health Systems, Inc. (CHS), one of the largest hospital groups in the United States, and accessed personal data — including social security numbers — from around 4.5 million patients.Hackers from Internet vigilante group Anonymous also targeted the Boston Children’s Hospital, launching a DDoS attack on the hospital website as an act of “hacktivism.” While the purpose of the attack, part of a larger operation called OpJustina, was to seek retaliation against the hospital for holding a patient against the will of her parents, it shows just how vulnerable healthcare data security can be to a group of determined hackers.

4. The adoption of cloud and mobile technology in healthcare

Just how ubiquitous is the cloud in healthcare? So much that 80% of healthcare data is predicted to “pass through the cloud at some point in its lifetime” by 2020 (InformationWeek). Healthcare mobile apps are also a growing industry, leaving patient data prone to the vulnerabilities of the cloud and individual mobile devices.While HITECH mandates the encryption of PHI, encryption is a slippery issue when it comes to the cloud. While it’s relatively simple to encrypt data at rest in the cloud, data in use — that is, data being used by an application, as opposed to sitting in storage — is much harder to encrypt. Hospitals must be vigilant with their security and Bring Your Own Device (BYOD) policies to ensure their use of cloud and mobile tech isn’t violating HIPAA.

5. Outdated technology in hospitals

Running a hospital isn’t cheap, and when you’re prioritizing the latest MRI technology or increasing staff to meet growing needs, sometimes IT budget can fall by the wayside. End-of-life (EOL) software and infrastructure provides a healthcare data security risk as vendors discontinue support for your IT systems, including vital security patches. While biting the bullet and purchasing a brand new server can be tough on budget, it’s easier than dealing with the fallout of a data breach.

Across the nation, healthcare providers are grappling with how to incorporate state-of-the-art technologies into their practices without violating HIPAA or putting patients at risk. One insurance policy against the growing threat is data encryption.

Encouraging Medical Professionals to use Encryption in Healthcare

For encryption in healthcare to work, it has to be seamlessly integrated into the workflow of everyone handling PHI. Luckily, there is a client-side email encryption solution that makes HIPAA compliant email easy: Virtru . Unlike most solutions on the market, Virtru is designed to be easy to use from the ground up.

Virtru works via a plugin that is compatible with all major browsers and email clients, meaning that there’s no need for complicated software or hardware – just download the plugin, and you’re good to go. Virtru Pro even works with Gmail, and Outlook, meaning that there’s no need for providers to ditch their current email addresses.

Virtru uses strong, proven client-side encryption, meaning that your confidential data is secure from the time you send it to the time it is received. Likewise, since Virtru manages your keys, the chance that an attacker could gain access to your credentials (and then beat your encryption) is greatly mitigated.