This Thursday, January 28th is Data Privacy Day (aka Data Protection Day in Europe). The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. To honor Data Privacy Day, here are some ways you can protect personal healthcare information (PHI) in-motion, an area of focus for healthcare IT teams handling PHI.
Personal Healthcare Info is a Hacker's Dream
PHI is considered to be the most sought after data by cyber criminals in 2016. Hackers are moving away from other forms of cyber crime such as that which targets bank accounts. Instead they are focusing more on PHI due to the amount of data contained within it. Valuable data within PHI includes social security numbers, insurance policy info, credit card info, and more.
The lack of a consistent approach to data security throughout the healthcare industry also makes healthcare data easier to obtain. The easier it is to steal, the more lucrative the data becomes to hackers. The healthcare industry has had less time than others to adapt to growing security vulnerabilities, and online criminals don't take long to take notice.
GDPR and the End of Safe Harbor
It’s not news that governments around the globe are doing their part to promote data privacy. They are doing this by legislating data protection of personal data, and reinforcing with significant penalties for non-compliance. Check out the recent agreement on the European Data Protection Regulation as the most recent example.
What is changing, however, is the rapid growth in data integration across the open Internet between hospitals, service providers like payment processors, insurance companies, government agencies, cloud applications and health information exchanges. The borderless enterprise is a fact of life.
Using Encryption to Meet Data Privacy Regulations
It’s well known that a security strategy focused on perimeter defense is not good enough. For one reason, healthcare data must move outside its trusted network. Encryption is the best means to limit access to protected data, since only those with the encryption key can read it. But there are other factors to look at when considering technology to protect data in motion, particularly when compliance with HIPAA or other governmental data privacy regulations is an issue.
Briefly when evaluating cyphers for file encryption, described in FIPS 197, its important to consider key size, eg 128, 192 or 256 bit, which affects security. It’s also worth considering products with FIPS 140-2 certified cyphers accredited for use by the US government as an added measure of confidence.
Here are several other things to consider to protect data in motion and ensure compliance:
- End-to-end encryption: Encrypting files while in-transit and at rest protects data from access on trusted servers via malware or malicious agents with secure access to trusted network
- Visibility for audit: Reports and dashboards to provide centralized access to all transfer activity across the organization can reduce audit time and improve compliance
- Integration with organizational user directories: LDAP or SAML 2 integration to user directories or identity provider solutions not only improves access control and reduces administrative tasks, but can also provide single sign-on capability and multi-factor authentication
- Integration with other IT controls: While data integration extends beyond perimeter defense systems, consider integrate with data scanning systems. Antivirus protects your network from malware from incoming files and Data Loss Prevention (DLP) stops protected data from leaving.
- End-point access to data integration services: There are more constituents than ever that participate in data exchange. Each has unique needs and likely require one or more of the following services:
- Secure file transfer from any device or platform
- Access status of data movement to manage Service Level Agreements (SLAs)
- Schedule or monitor pre-defined automated transfer activities
- Access control: With the growing number of participants including those outside the company it’s more important then ever to carefully manage access with role-based security. Ensuring each have appropriate access to the required data and services.
- File transfer automation: Automation can eliminate misdirected transfers by employees and external access to the trusted network. Using a file transfer automation tool can also can significantly reduce IT administration time and backlog for business integration process enhancement requests.
Become Privacy Safe Starting with This Webinar
Protecting PHI within the healthcare system doesn’t have to be painful for hospital administrators or doctors to appropriately access PHI, but it does mean having the right technology and good training in place. And in honor of Data Privacy Day, don't you want to tell your customers that their data is safe? You will be one step closer by signing up to tomorrow's live webinar.
Learn how you can implement health data privacy controls to secure your healthcare data >> Register Here
For more on this topic register to hear David Lacey, former CISO, security expert, and who drafted original text behind ISO 27001, speak about implementing HIPAA and other healthcare security controls with a managed file transfer solution.