Encryption is required under HIPAA to protect electronic personal healthcare information being transferred or stored. SSL encryption protects data in motion by encrypting connections between computers but other vulnerabilities need addressing. Healthcare organizations should educate employees, secure wireless networks, vet third parties, and limit potential network damage from breaches through measures like network segregation.
2. Data Breaches are disruptive, expensive and even dangerous. Nowhere is this truer
than in the healthcare industry, where people’s personal information – including
extremely sensitive information about their health – is being entrusted to medical
organizations and insurers.
That’s why it’s more important than ever to encrypt everything. In fact, encryption
is required as a part of HIPAA (Health Information Portability and Accountability
Act) compliance. This act governs the transfer and storage of healthcare
information by health care professionals, hospitals, insurers and billing
organizations.
3. The HIPAA Security Rule requires organizations to use specific safeguards to
protect all Electronic Personal Healthcare Info, specifically mandating encryption
and specifying key management protocols, as well as protocols for handling a data
breach.
It’s worth noting that SSL encryption is just one piece of a larger puzzle when it
comes to protecting Healthcare IT from various security threats – SSL can only
protect data in motion – but it is a very important one, nonetheless.
4. The reasons for this should be obvious. In older times, medical records were kept
on paper and housed in physical locations. But now the majority of records are
kept online, and can be accessed easily by doctors, medical professionals and
insurers who need them. This is a double-edged sword, on one-hand it’s more
convenient, but on the other it leaves these records open to more security risks.
That’s because unless the record is being accessed on the same machine it is
being stored on, accessing said records requires a connection to be made
between two computers or a computer and a server.
5. Without SSL encryption protecting that connection, any third party can easily see
the information being shared between the two machines and steal it.
This is where SSL comes into play. With SSL, you can encrypt those connections
and shut down one of the easiest ways for malicious third parties to breach that
data. SSL works by essentially protecting the information that is being shared by
the two computers. Prior to the connection beginning, the computers perform
what is called an SSL handshake wherein they decide on an encryption standard.
From there all communication between the two is encrypted, meaning if a third
party were to try to steal it all they would get would be a jumbled set of numbers
and letters.
6. Only the two computers involved in the connection can decrypt the information.
SSL is just one component of a more comprehensive security solution though.
While protecting information in transit is of huge importance, there are other
vulnerabilities that the healthcare industry must also shore up in order to secure
itself.
Case in point, in 2012, 94% of companies in the healthcare industry reported
some form of a data breach. They likely had holes in their systems that SSL is not
designed to protect.
7. Here are a few other tips for Healthcare Organizations
looking to protect against cyber threats:
(1) Protecting networks means more than just firewalls and
antivirus software
Perimeter security is important but there are other ways to help protect a network as
well, one of which is to focus on limiting the potential for damage should the network
ever be breached. This includes practices like segregating networks so that intruders don’t
have access to all the data stored on a network should they breach part of it.
8. (2) Education is key
Employees are one of the easiest ways to infiltrate the healthcare industry’s
computer networks—as they are in any industry. That’s why it’s important to
constantly educate employees on developing security risks – phishing scams,
social engineering, etc. – as well as training them on what does and does not
constitute a HIPAA violation.
9. (3) Mobile access can be dangerous
As mobile phone and tablet technology continues to evolve and become more
prevalent the natural inclination may be to rely more heavily on these platforms.
However, this can create a vulnerability if they’re not properly secured. Make
sure to have a policy against using personal devices for accessing information,
and make sure to secure and encrypt all organization-owned devices to help
eliminate breaches.
10. (4) Be sure to secure wireless networks
Wireless internet is everywhere and its convenience is undeniable. But
unsecured wireless networks are also easily exploitable making them a huge
security weakness. WEP passwords are simply not enough in this day and age.
Rather, to protect against attacks healthcare organizations should make sure to
keep their routers up to date, change passwords regularly and block access to all
unauthorized devices.
11. (5) Be sure to vet third parties
Sure, your organization has done everything in its power to protect against data
breaches and other cyber-attacks, but any other organization or business you’re
doing business with could pose a threat to the information you’re working so
diligently to protect. Are they secure? Do they use SSL encryption to protect the
data once it gets on to their servers? You’re only as strong as your weakest link,
so make sure that weakest link isn’t another organization or company you’re
partnered with.