In 2016, HIMMS conducted a study that corroborated what those of us in healthcare IT know all too well: most healthcare organizations are ill-prepared to deal with or defend against a cyberattack. HIMMS found that most healthcare organizations fail to adopt even basic safeguards like anti-malware tools, firewalls and encryption. Of all industries, healthcare has the lowest rate of data encryption. According to the HIMSS study, only 31 percent of healthcare organizations report extensive use of encryption; 20 percent report no use of encryption at all.
It’s no surprise then that research firm Forrester has singled out the healthcare industry as the number one target for ransomware. Savvy cyber criminals recognize healthcare organizations are highly motivated to protect their sensitive patient data and since they lack new technology to defend against the latest cyber threats, healthcare organizations are easy marks. Nearly 100 million healthcare records were compromised last year.
Given that the industry is generally lax when it comes to preparing to defend against a cyberattack, chaos usually ensues when hackers unleash their infectious software. The particularly malicious ransomware brand of malware exploits vulnerabilities in an organization’s computer system and encrypts data so it can only be unlocked with a decryption key. The best defense against cybercrime, of course, is a good offense. Preventing an attack before it occurs is, frankly, moreimportant than how to recover your data. This is because if hackers compromise your electronic patient health information (ePHI), it is considered a data breach even if the ePHI can be restored from backup, according to the United States Department of Health and Human Services.
One way to minimize the resulting damage of a cyberattack is to always encrypt patient data. Encryption can be used to preserve the integrity of your data and keep patient information confidential. Data encryption prevents data visibility in the event of its unauthorized access or theft. Confidentiality is maintained when the file is encrypted in such a way that only authorized users have access to the key. It’s imperative, then, to beat cyber criminals to the punch: encrypt any data that they may potentially try to steal.
Data can be encrypted by employing either of two methods of encryption: in transit, and at rest.
Data in transit refers to data being accessed over a network – and which, therefore, could be intercepted by someone else on the network, or by someone with access to the physical media the network uses. On a wired network, that could be someone with the ability to tap a cable, configure a switch to mirror traffic or fool your client or a router into directing traffic to them before it moves on to the final destination. On a wireless network, a cybercriminal need only be within range or your device to intercept data being transmitted.
Encryption at rest refers to encrypting inactive data stored physically in any digital form. Physical data could be stored on a wide variety of media, including:
- End-user devices, including smartphones and tablets, laptops
- Portable storage devices like CDs, DVDs, and USB storage (flash drives or thumb drives)
- Files, clipboards, and folders
- Hard disk
- Virtual disks and compressed archives
- Mobile email, files, and text
- Third-party Cloud services
Busy physicians and others in healthcare have many opportunities today to work remotely on a variety of mobile devices as they travel between their offices and hospitals. A simple username and password to log on to these devices offers zero protection when a thief can simply remove the hard drive, install it on another computer, and copy the data. Encrypting data on laptops and other devices is essential to protect information from unauthorized access should the media ever be stolen.
A 2008 Data Breach Report by Verizon Business found that 87 percent of data breaches were considered avoidable. In Med Tech Solutions’ experience working with clients in healthcare, when they encounter encrypted patient data (if data is encrypted at all) it’s more typical that data is encrypted in transit only. As malware continues to get more sophisticated, they find in-transit encryption to be insufficient to ward against possible hacking. At Med Tech Solutions, it’s become a best practice to provide encryption at rest as a standard feature with all of their service plans. It’s not that much more expensive than in-transit encryption to implement and it’s certainly far less costly when you factor in what it will cost to deal with the disastrous aftermath of a data breach.
MTS would recommend healthcare organizations adopt these encryption best practices:
- Ensure all sensitive data that is uploaded or downloaded is encrypted. Email is not generally considered secure so be sure to leverage a solution like Citrix ShareFile or the Office365 Email Encryption service.
- The encryption of data at rest should only include strong encryption methods such as AES or RSA
- Encrypted data should remain encrypted when access controls such as usernames and password fail
- Increasing encryption on multiple levels is recommended
- Data encryption keys should be updated on a regular basis
- Encryption keys should be stored separately from the data
- Periodic auditing of sensitive data should be part of policy and should be scheduled regularly
- Finally, only store the minimum possible amount of sensitive data