With the shift towards digital records, healthcare facilities rely on mobile devices to access and store patient data. These devices are prime targets for theft based on the value of the items. When targeted, the loss of equipment is only compounded by the potential exploitation of patient data.
The prevalence of theft and lost equipment in healthcare
Healthcare organizations tend to prioritize accessibility and portability of information to keep up with efficiency in patient care. Because these devices hold so much information, when they get into the wrong hands, it can have a huge impact on organizations and patients. Health Industry Cybersecurity Practices (HICP) explains the potential consequences of lost or stolen equipment, “Loss of sensitive data may lead to a clear case of patient identity theft, and with 41.4 million patient records exposed by 572 security incidents in 2019, much could be at stake if patient records make it to the dark web for sale.”
Conditions like lax security protocols and a lack of accountability amongst staff often contribute to the vulnerability of devices. When organizations do not prepare staff for the risk of data loss the issue becomes a prime challenge to the security of protected health information (PHI). When healthcare devices containing PHI are stolen this information is often sold off or used as ransom against the organization.
How to avoid data theft and loss
Encrypt data on all devices:
- Encryption ensures that all PHI remains secure.
- Organizations must employ encryption services and ensure it remains installed and updated on every device that has access to or stores PHI.
Enable remote wipe and device tracking:
- Modern devices allow for remote tracking and wiping, meaning organizations can locate a lost device or remotely erase data if recovery is impossible.
- This feature is accessible on all devices and if necessary software with wiping and tracking capabilities (that aligns with HIPAA security requirements) should be employed.
Use HIPAA compliant email communication:
- Healthcare organizations can reduce the risk of data exploitation of email chains through the use of HIPAA compliant email platforms like Paubox.
- These platforms often can restrict access and track irregular activity on email accounts, allowing organizations to protect email chains that can be forgotten in the chaos of handling lost devices.
Train employees on security protocols and device handling:
- Employees are the first line of defense in the protection of PHI.
- Regular training on HIPAA compliance, secure device handling, and reporting procedures for lost or stolen devices helps staff understand the need for data security.
FAQs
Which U.S. federal organization guides healthcare cybersecurity?
The HHS specifically through its Office for Civil Rights (OCR) and the Cybersecurity and Infrastructure Security Agency (CISA).
What is the most common cause of data loss in healthcare?
The most common cause of data loss in healthcare is ransomware attacks where threat actors encrypt data and demand payment for its release.
Why are healthcare organizations commonly targeted by threat actors?
Healthcare organizations are targeted because they handle sensitive patient data which is highly valuable and often poorly secured.
Kirsten Peremore
