- What is healthcare data security?
- How data is protected in the USA
- What kind of information is protected?
- How data is protected in Europe
- The difference between the US and Europe
- Healthcare data security issues
The healthcare industry adopts new technologies quickly. This is particularly true of information technology, which is used to support both doctors and patients and to improve the delivery of healthcare services. The core element of a hospital information system is the electronic health record (EHR), where patient information, including protected health information, is stored. Moreover, hospital administrative and financial staff uses a myriad of other applications to monitor hospital performance in terms of financial efficiency and treatment success rates. Government and federal organizations also use IT solutions to track the quality and safety of healthcare organization operations. And, of course, there are a lot of applications that are used by patients to monitor their vital signs and to communicate with doctors via mobile and wireless technologies.
To manage, store, and access this data, modern technologies, such as cloud, mobile, and new generation databases, are used. And the largest challenge the healthcare domain has faced recently is the security of healthcare data.
What is healthcare data security?
Healthcare data security is a strictly regulated area in the US and Europe and there are strict requirements regarding who (a person or entity) is covered, what information is protected, and what must be done to ensure appropriate protection of healthcare patient information.
How data is protected in the USA
In the USA there is no single and comprehensive federal law that would explain how personal data should be collected and used by healthcare organizations. Instead, there are several sets of healthcare data security standards on both federal and state levels. Let’s take a closer look at some of them.
The Health Insurance Portability and Accountability Act (HIPAA) enacted in the USA in 1996, and the HIPAA Privacy Rule and the HIPAA Security Rule published by the U.S. Department of Health and Human Services (HHS) soon thereafter established national standards for the protection of health information, and specific electronic health information in particular. These rules are enforced by the Office for Civil Rights (OCR), a part of the HHS, which facilitates voluntary compliance activities and has the authority to impose civil monetary penalties.
The HIPAA Privacy Rule, also known as the Standards for Privacy of Individually Identifiable.
Health Information establishes national standards to protect patients’ medical records and other personal health information. This Rule applies to:
- health plans
- health care clearinghouses
- those health care providers that transmit protected health information (PHI) electronically
The Rule contains the standards that must be applied to safeguard and protect ePHI both when data is stored and transmitted. The limits and conditions on the use and disclosure of confidential patient data without patient authorization are also set by this Rule, as well as the rights of patients over their health information. These patient rights include rights to see their protected health information and to obtain a copy; to request corrections if the data is inaccurate or contains errors; to have a list of who their protected healthcare information has been disclosed to, etc.
What kind of information is protected?
According to Beckers hospital review, protected health information includes the following:
- Birth dates, death dates, treatment dates, admission dates, and discharge dates
- Telephone numbers, fax numbers, and other contact information
- Social Security numbers
- Medical record numbers
- Photographs and any comparable images
- Biometric identifiers, including finger, retinal, and voiceprints
- Any other identifying numbers
The HIPAA Security Rule, also known as Security Standards for the Protection of Electronic Protected Health Information, covers the standards of ePHI protection. This Rule requires entities covered by the HIPAA Compliance law to have appropriate administrative, physical, and technical safeguards in place to ensure confidentiality, integrity, and security of electronically transmitted PHI. The recommendations and requirements related to security management processes, including methods to prevent, detect, and correct security issues.
If you're worried about what are data sets in healthcare systems, we recommend our previous article.
How data is protected in Europe
The data privacy regulations adopted by the European Union (EU) are among the strictest in the world. Under the European Union’s Data Protection Directive 95/46/EC of 24 October 1995, personal data, or sensitive categories of data, as defined in the Directive, can only legally be gathered under strict conditions and should only be used for a specific purpose. According to the European Commission, the Directive 95/46/EC was adopted to “harmonize national provisions on the protection of individuals in processing and free movement of personal data.” This Directive, as well as the e-Privacy Directive 2002/58/EC, has been implemented in every country in the European Union.
The responsibility for the management and the protection of the collected data from misuse, as well as observation of the data owners’ rights, always rests with the gatherer. There are also several key principles to be observed concerning the privacy and security of patient data provided by a communication from the commission to the European Parliament in “A comprehensive approach on personal data protection in the European Union”.
Those principles relate to:
- Protection of the fundamental rights of natural persons and in particular their right to protection of personal data
- Data collection and processing transparency
- Mandatory personal data breach notification
- Rights of access, rectification, erasure or blocking of data
- Sanctions, including criminal sanctions, in case of serious data protection violations, etc.
The difference between the US and Europe
When we talk either about data security in healthcare or data protection in general, the main difference in the legislation in the US and the EU is the approach to securing data. In Europe, this approach is more unified as the legislation is the result of the coordinated work of all member states to create the same standards for each country. That is, the directive is used as guidelines which are converted into national law.
In the USA, the approach is different. There is no single overarching privacy law. Data protection is regulated by many state and federal laws. On a federal level, the approach towards data protection legislation is sectoral, i.e. only certain industries are covered. At a state level, there’s also some form of the privacy legislation in most states.
According to a study by the European Parliament's Policy Department for Citizens' Rights and Constitutional Affairs, where the US and EU data protection legislation for law enforcement purposes is compared, the majority of the EU data protection standards cannot be found in US law. “Rules limiting inter-agency data exchange, exchange with other third parties, complete independent oversight and effective judicial review possibilities for non-US persons do not exist at all or are at best very limited”.
Either way, both the EU and the US make certain efforts to improve the situation and there’s a specific cause for this.
Healthcare data security issues
The healthcare industry operates enormous data assets which include, among others, patient health information and personal data. The past few years showed that this data was the slice of the pie that attracted cybercriminals. Ransomware and shadow IT are only a part of the issues the healthcare industry is facing and the importance of data security in healthcare is in the spotlight now.
2015 and 2016 became the years of healthcare breaches. A Ponemon Institute study shows that nearly 90 percent of healthcare organizations suffered data breaches in the past two years, and nearly half of those, or 45 percent, had more than five data breaches within those two years. Estimates based on the results of this study suggest that the average consolidated cost of data breaches in the healthcare industry is as much as $6.2 billion. The major trouble spots for the healthcare organizations which took part in the study were negligent or careless employees (69 percent of respondents), cyber attackers (45 percent of respondents), and the use of insecure mobile devices (30 percent). Among other sources of data breaches, we can also name third party faults, malicious insiders, and theft.
Is there any good news? Large-scale incidents have put the industry on alert. Healthcare organizations are getting more informed on the problem and taking steps to improve data protection strategies. According to the Ponemon Institute study mentioned above, 69 percent of healthcare organizations have developed a formal incident response plan for cyber attacks. Another study by a well-known healthcare data security company revealed that 56% of healthcare organizations plan to invest in data breach protection solutions.
Nowadays data security measures relating to all aspects of the healthcare business are a must. Healthcare data security legislation and best practices in the industry require strong physical security measures, logical security measures, and compliance measures to be incorporated by healthcare organizations.
To be able to focus on its core business, a healthcare organization must secure health information. How can this be done? Healthcare Information and Management Systems Society (HIMSS) defines six technical controls to minimize security and compliance risks in its Healthcare security + compliance guide:
- Anti-malware software
- Data loss prevention software
- Two-factor authentication software
- Patch management software
- Disc encryption software
- Logging and monitoring software
The technical measures alone cannot provide 100 percent data protection. A healthcare organization also must have operational controls in place. The HIMSS report reveals six such controls:
- A security and compliance oversight committee
- Formal security assessment processes
- A security incident response plan
- Ongoing user awareness and training
- An information classification system
- Security policies
The 2020 Thales Data Threat Report shows that compliance is the top driver for IT spending in 2020, as 72 percent of organizations increased IT security spending to ensure compliance with privacy requirements and data residency regulations in the US.
What are the strategies to adhere to keep PHI secure and reduce exposure to data related risks? Here are some practices that allow healthcare organizations to take advantage of new technologies and innovations while securing data:
- Data encryption makes it more difficult for unauthorized parties to access sensitive data, such as patient PHI.
- Access control allows you to control who sees, modifies, and transmits data.
- An appropriate data security platform provides a single management interface to centrally organize data security controls and uniformly enforce policies across all data repositories, both on-premises and in the cloud.
- Security analytics and multi-factor authentication solutions help identify threatening patterns of data use.
The bottom line is the IT solutions in the healthcare industry must be developed and used in accordance with all the standards mentioned above to avoid risks and provide maximum data privacy and security. Proper data protection strategies and solutions in place enable your organization to comply with monitoring and reporting regulations and share data securely, both inside and outside the medical facility.
Contact our specialists to get more information about solutions in the field of data protection.