Why Healthcare Organizations Should Encrypt Everything

In 2016, HIMMS conducted a study that corroborated what those of us in healthcare IT know all too well: most healthcare organizations are ill-prepared to deal with or defend against a cyberattack. HIMMS found that most healthcare organizations fail to adopt even basic safeguards like anti-malware tools, firewalls, and encryption. Of all industries, healthcare has the lowest rate of data encryption. According to the HIMSS study, only 31 percent of healthcare organizations report extensive use of encryption; 20 percent report no use of encryption at all.

It’s no surprise then that research firm Forrester has singled out the healthcare industry as the number one target for ransomware. Savvy cyber criminals recognize healthcare organizations are highly motivated to protect their sensitive patient data, and since they lack new technology to defend against the latest cyber threats, healthcare organizations are easy marks.

Preventing an attack before it occurs is, frankly, more important than how to recover your data. This is because if hackers compromise your electronic patient health information (ePHI), it is considered a data breach even if the ePHI can be restored from backup, according to the United States Department of Health and Human Services.

One way to minimize the resulting damage of a cyberattack is to always encrypt patient data. Encryption can be used to preserve the integrity of your data and keep patient information confidential. Data encryption prevents data visibility in the event of its unauthorized access or theft. Confidentiality is maintained when the file is encrypted in such a way that only authorized users have access to the key. It’s imperative, then, to beat cyber criminals to the punch: encrypt any data that they may potentially try to steal.

Data can be encrypted by employing either of two methods of encryption: in transit or at rest.

Data in transit refers to data being accessed over a network, and which, therefore, could be intercepted by someone else on the network, or by someone with access to the physical media the network uses. On a wired network, that could be someone with the ability to tap a cable, configure a switch to mirror traffic, or fool your client or a router into directing traffic to them before it moves on to the final destination. On a wireless network, a cybercriminal needs only to be within range of your device to intercept data being transmitted.

Encryption at rest refers to encrypting inactive data stored physically in any digital form. Physical data could be stored on a wide variety of media, including:

• End-user devices, including smartphones and tablets, laptops
• Portable storage devices like CDs, DVDs, and USB storage (flash drives or thumb drives)
• Files, clipboards, and folders
• Hard disk
• Virtual disks and compressed archives
• Mobile email, files, and text
• Third-party Cloud services

Busy physicians and others in healthcare have many opportunities today to work remotely on a variety of mobile devices as they travel between their offices and hospitals. A simple username and password to log on to these devices offers zero protection when a thief can simply remove the hard drive, install it on another computer, and copy the data. Encrypting data on laptops and other devices is essential to protect information from unauthorized access should the media ever be stolen.

It’s more typical that data is encrypted in transit only. As malware continues to get more sophisticated, it finds in-transit encryption to be insufficient to ward against possible hacking. At Med Tech Solutions, it’s become a best practice to provide encryption at rest as a standard feature with all our service plans. It is certainly far less costly when you factor in what it will cost to deal with the disastrous aftermath of a data breach.

MTS would recommend that healthcare organizations adopt these encryption best practices:

• Ensure all sensitive data that is uploaded or downloaded is encrypted. Email is not generally considered secure, so be sure to leverage a solution like Citrix ShareFile or the Office365 Email Encryption service.
• The encryption of data at rest should only include strong encryption methods such as AES (Advanced Encryption Standard) or RSA.
• Encrypted data should remain encrypted when access controls, such as usernames and passwords, fail
• Increasing encryption on multiple levels is recommended
• Data encryption keys should be updated on a regular basis
• Encryption keys should be stored separately from the data
• Periodic auditing of sensitive data should be part of the policy and should be scheduled regularly
• Finally, only store the minimum possible amount of sensitive data