Patient privacy breaches pose significant threats to patients and healthcare organisations. It is time to confront the risks head on, writes Steer Health’s Sridhar Yerramreddy
In today’s healthcare landscape, data breaches have become an alarming norm. Whether it’s patient data released via Facebook, phishing reports of criminal activity, or data dissemination via Google, breaches are on the rise.
To confront these risks head-on, healthcare systems should re-evaluate their security strategies and take immediate action to fortify their defence against data breaches.
Step 1 Understand why security leaks may arise
Data leaks have different causes, but they all share one characteristic: they always arise from the weakest link.
For example, a new external tool to facilitate appointment scheduling may simplify the patient journey, but it might also, if not properly checked, store data on Facebook or Google.
Learning about potential vulnerabilities is the first step towards building a more secure infrastructure. The second is identifying them within your own organisation.
Step 2 Analyse the patient data trail
Every patient interaction and touchpoint with the patient can be the cause of a weak link. For example, your website, social channels, communication tools, and the internal software where the doctor enters patient data all process sensitive data.
Start with mapping the patient journey and understanding where patient data is processed and who is processing the data. Typically, the owner of these data touchpoints are:
- Third parties managing tools
- Office staff and administrative employees utilising tools
- Physicians and healthcare staff using tools
Outline how each element receives data and where it is processed and stored. This will give you a better understanding of where to limit and secure access.
Step 3 Eliminate risks of third-party agreements
There’s nothing wrong with using tools from many providers – but it requires special care. When dealing with third parties, you need to know exactly how they process data and whether they have the necessary security measures in place. Ask them:
- Do you work with updated firewalls?
- What tools do you use on the backend that processes your data?
- Where do your store data?
- What other security measures do you have in place?
- Do these tools encrypt information with the latest industry standards? If so, how?
The same applies to new contracts – only sign if you know data security is a basic principle. You can make it easier on yourself with a trustworthy provider that offers many tools simultaneously, to save yourself the trouble of checking every single provider.
Step 4 Govern access
Organisations can tailor data permissions to the intended use of each role. For example, physicians need information about their patients’ health.
The different types of permissions include the following:
- Full Control. The user can take ownership of the data, including storage, access, changes, data deletion, and assignment of permissions.
- Modify. The user can access, modify, and delete data. (Administrative managers, IT)
- Access. The user can access data but cannot modify or delete it. (Patients restricted to necessary insights)
- Access and modify. The user can access and modify data but not delete it. (Administrative and medical staff)
Step 5 Implement stronger access protection
The inconvenient truth is: password protection is outdated. Therefore, for access to sensitive patient data and devices that store or process data, I recommend using at least two-step authentication (such as a password and a mobile device confirmation) and implementing password managers. These recognise repeated, weak, or leaked passwords to mitigate the risk of data breaches related to password theft.
Step 6 Stay on top of software updates
Software updates allow developers to quickly fix problems or add new features with the goal of data protection. As they may affect the backbone of cybersecurity, following these updates is vital.
Checking for new updates and installing them in a timely manner can be a daunting task. Instead, automate weekly updates or ask your provider to enable automated updates.
Step 7 Help your patients
There is one factor that, at first, seems difficult to manage: the patient. Patients are often on the lookout for information and may contact healthcare providers via social media, email, or in chats. All this can mean they are sharing their health data. A patient may describe a symptom or ask about an upcoming procedure, and that data, if not managed adequately, immediately flows through the entire system and risks ending up accessible on Facebook, Google, and the like.
There are two things organisations can do to prevent this. First, provide communication channels that are secure, easy to find, and easy to use for patients, and highlight that they are safe to use on all platforms and potential engagement tools. This will reduce the number of patients utilising Facebook.
But offering a service isn’t enough. It is important to educate patients on what they must do to protect their data. Campaigns explaining how to share data, why only secure platforms should be used, and reminding patients not to expose their data to third parties should be an integral part of this communication.
Healthcare providers have power
Data security is a shared responsibility, but healthcare providers have the most power in the chain.
The time has come to seize control of your data security. Revise data strategies, update your tech stack, vet third-party vendors, and educate patients on how to protect their own data. All this will ensure a better security culture and help mitigate the risks of the current cybersecurity landscape.
Sridhar Yerramreddy is CEO and founder of Steer Health