How do hospitals process and protect patient data?
In today’s medical practice, technology is ubiquitous. In addition to the more well-known issues of patient privacy, HIPAA also stipulates expectations for hospitals’ technological systems. A healthcare provider must ensure the confidentiality, integrity, and availability of all electronically protected health information and it must protect against any reasonably anticipated threats of such information. In the event of a breach, the hospital must have an action plan and it must publicly disclose the incident. Hospitals protect patient data by the appropriate planning, control, and configurations of their IoT systems.
HIPAA’s technical security and compliance provisions
Because the healthcare industry works with uniquely personal information concerning patient psychology, personal history, medications, and body, legislators wrote a national law mandating professional expectations for healthcare providers. Hospitals must keep patient records safe. In the event of a cyberattack, hospitals must be able to execute mitigation procedures and contingency plans, or they are liable for negligence. These are outlined in HIPAA in Subpart C—security standards for the protection of electronic protected health information and Subpart D—Notification in the case of a breach of unsecured protected health information.
164.306: Security Standards General Rules
164:308 Administrative Safeguards
164:312 Technical Safeguards
164:314 Organizational Requirements
Read HIPAA here.
A healthcare provider must protect against any reasonably anticipated threats or hazards to the security or integrity of such information. An organization can be held responsible for negligent policies which would allow an attack to happen. Competent organizations will at least provision:
- Login monitoring
- Password management
- Encryption and decryption
- Maintenance of records
- Integrity controls
- Sanction policy for those who violate the policies.
- regular risk analysis testing and continuous improvement
- implies the need for a Unified Endpoint Management (UEM)
The management system which connects all electronics in a hospital is called Unified Endpoint Management (UEM). Any monitor that feeds to a central database, any computer that charts hospital records, any sensor, anything with an electronic plug transmitting data would be considered an “endpoint,” or an “IoT device.” A UEM system refers to the comprehensive structure through which these data sources and technologies are interconnected. By integrating a UEM into the management of IoT devices, hospitals can effectively control and secure their IoT infrastructure, streamline device management processes, and ensure the reliable and secure operation of IoT devices used in patient care and hospital operations.
Real-time tracking
The most obvious provision in maintaining the integrity of patient data, as HIPAA demands, is to automate and streamline recordkeeping as much as possible to reduce human error. This involves real-time tracking, charting, and storing data. This allows hospitals to track the health of the monitoring of their devices as well as the monitoring of patient records. It also allows staff to use their time more efficiently.
Beyond the many devices and systems used in the hospital itself, a phone can be considered an endpoint if patient data is transmitted on it. Providers and patients are in constant communication, so in order to have a comprehensive UEM, communication with patients should be captured, archived, and retrievable, whether through voice calling or text messaging. MultiLine by Movius has serviced the healthcare industry by providing a HIPAA-compliant solution to communicate with patients through voice calling, SMS, and social messaging. Learn more here. Of course, the creation of these records itself necessitates other security measures.
Micronetworks
A central portal with all the private and confidential information a hospital tracks would be a gold mine for ransomware. As such, many healthcare institutions use network microsegmentation or micronetworks to ensure that a breach of one device will not spread to the rest of the devices connected in the UEM. (1)
Essentially, a micronetwork puts a firewall between every machine which does not need to communicate, opting to store data in compartments. Much like fighting a beehive, a micro-segmented network requires multiple hacks to occur in succession in order to breach the hospital’s security system. This compartmentalizes each device.
The shift to encrypted Saas
Software as a service is a model of maintaining records that involves a monthly subscription. As opposed to the hospital purchasing a computer system which it now owns, Saas services are software applications. Initially, Saas solutions were criticized due to security risk. However, because Saas is more agile, scalable, and cost-effective, medical Saas solutions are expected to rise in prominence. (2)
In summary, the first feature of the technology system in a hospital is real-time tracking: the fact that data will be recorded in order to keep accurate records about a patient in a hospital. In many UEMs, patient data is controlled by a central portal which is protected behind a firewall. This is risky, however, because if a central database is infiltrated, then all records will be exposed. In order to mitigate this risk, micro-networks can be implemented. Another solution is Saas-based technology management systems.
More sources:
https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf