Healthcare Data Security: FAQ and Best Practices for Facilities

Image of professional woman smiling
Written by Kerry Larkey, MSN, RN Content Writer, IntelyCare
Image of content creator smiling for camera
Reviewed by Katherine Zheng, PhD, BSN Content Writer, IntelyCare
Group of professionals meeting in a medical office

Healthcare data security breaches are on the rise in the healthcare industry worldwide. According to one cybersecurity study, 66% of healthcare organizations reported experiencing a ransomware attack, nearly doubling the number of attacks in prior years. Of these organizations, 61% reported feeling obligated to pay the attackers.

Healthcare facilities are looking for ways to ensure that their data stays safe and secure. We’ll discuss the importance of data security in healthcare and share the real costs that these breaches pose to organizations. We’ll also review five best practices to secure patient data so you can promote processes that help safeguard patient information at your facility.

Cybersecurity in Healthcare

Data theft is on the rise in healthcare. Patient information is particularly valuable because it includes not only highly sensitive medical data but also identifiers (e.g., name, address, Social Security number) and billing information. Research shows that on the dark web, stolen healthcare data sells for 10 times more than credit card numbers alone.

The impact of cyberattacks on healthcare can be devastating for individuals whose information is compromised. For organizations, the financial implications and loss of public trust are severe. The cost to repair a data breach in healthcare is almost three times higher than in other industries. And yet, only 4-7% of a healthcare system’s information technology (IT) budget is devoted to cybersecurity.

Healthcare Data Security FAQs

In order to prevent cybersecurity attacks, it’s important to understand the basics of healthcare data security. Below we’ll answer some of the most frequently asked questions on sensitive patient information, data protection, and security breaches.

What is information security in healthcare?

Information security involves maintaining the confidentiality, integrity, and availability of sensitive patient data, or protected health information (PHI). In particular, the Health Insurance Portability and Accountability Act (HIPAA) establishes national security standards for how PHI should be handled.

In order to uphold information security and comply with HIPAA, facilities must implement a number of physical, administrative, and technical safeguards that protect patient data. Safeguards and healthcare data security examples include:

  • Facility access
  • Workstation controls
  • Device security

Why is data security the biggest concern of healthcare?

Electronic health record (EHR) systems have brought many advances to the delivery of healthcare services. Patient portals make accessing information more convenient than ever, transforming patients into active players in managing their care. However, our reliance on EHRs has also put patient data security at higher risk, introducing new types of healthcare data security challenges. Here are a few statistics about the prevalence of security lapses:

Why is it important to prevent data security breaches in healthcare?

The financial impacts of data breaches are significant, with an average cost of $10 million per attack. But the costs don’t stop there. The effect on the public’s trust in the healthcare system is even more important. Patients expect that their most personal and confidential information will be kept safe from privacy invasions. As such, preventing data security breaches is a crucial way to maintain professional integrity, protect patients, and prevent significant costs.

What happens if a security breach occurs?

The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. A patient data security breach can include loss, theft, or impermissible use or disclosure of unsecured PHI. In the event of a breach of unsecured protected PHI, the facility must notify the affected individuals and the Secretary of Health and Human Services. If the breach affects more than 500 people from a state or jurisdiction, the organization must also notify the media.

Healthcare Data Security Standards and Best Practices

Given the increasing challenges around data privacy and security, you’re likely wondering how to prevent cybersecurity attacks at your facility. Here are five ways to help protect your patient information and maintain healthcare data security.

1. Practice Safe Computer Etiquette

Some very effective security practices don’t cost your facility much money at all. In fact, many are completely free, they just take time and effort to establish as habits within your team. For example, workstations should be locked at all times when unattended — even if the person intends to just step away for a moment.

Here’s one way that this inadvertent security risk might play out. A patient’s bed alarm has been activated and needs to be silenced so a nurse might step away from charting without logging off, thinking the task will only take a moment. Unexpectedly, the patient needs help getting to the restroom and before long, the unattended computer has been left open for 20 minutes, creating a security risk with patient information exposed.

Developing a culture of security on your team can help mitigate risks through teamwork. The more staff watch out for each other and look for areas of concern, the more likely they are to identify issues and proactively address them. With a strong culture of security, another team member would notice an unattended workstation and take steps to log the user off or lock the computer.

Other easy computer habits include:

  • Using computer privacy screens
  • Performing regular software maintenance and updates
  • Reinforcing the importance of never downloading unapproved software

2. Use Anti-Virus Software and a Firewall

These systems work together to protect your facility from external internet threats. Anti-virus software destroys and prevents the spread of malware while a firewall prevents it from gaining access to your computer systems. A virus can allow outside users to steal or destroy data and take control of your computer — jeopardizing health information safety and patient data security.

The majority of EHRs connect to the internet, a fact that makes them more vulnerable to attacks from outside the facility. Additional security risks come from the use of local area networks (LANs), internet browsing, and email systems.

Installing a firewall and anti-virus software can be complicated and will likely be configured and maintained by your IT department. But all staff need to be aware of the dangers of malware and know how to recognize a computer that might have become infected with a virus. For example, an infected computer might crash for no reason or show the “blue screen of death.” Your team needs to know the process for reporting suspicious computers to IT. Policies must also be in place to define and support safe computer use.

3. Consider Partnering With HITRUST Common Security Framework (CSF)

HITRUST CSF is a framework, created by security experts specifically for the healthcare industry, that provides an approach to data regulatory/standards compliance and risk management. The program builds on privacy requirements established by law through the Health Insurance Portability and Accountability Act (HIPAA) to support healthcare data security.

By using HITRUST CSF as a guide, your facility can build an information security management program based on industry-accepted and regulatory standards of security and privacy controls. HITRUST control strategies are comprehensive, including, among others:

  • Access control
  • Risk management
  • Compliance
  • Asset management
  • Human resources security

Although the cost is prohibitive for some, organizations can earn certification from an independent HITRUST-certified assessor. Self-assessments are available for facilities looking for lower-cost options, without certification.

4. Control Access to Protected Health Information (PHI)

The highly sensitive nature of healthcare information requires strict compliance with patient data security measures. Establishing and adhering to an access control system is one strategy for protecting PHI. Access to information in the EHR should be limited to a “need-to-know” basis, based on each employee’s roles and responsibilities. Assignments are typically based on job categories as defined by the facility’s data governance structure.

Your facility also must set up a system for auditing employee access to information, with frequent reviews of the results. In addition to the IT department, your data governance committees will be involved with oversight and making updates to role-based access control recommendations.

The guidelines outlined by HIPAA provide additional legal protections for PHI. Violations of HIPAA are often severe and costly. Staff education on HIPAA and the importance of healthcare data security must be routine and ongoing.

Access must be terminated immediately for all employees who leave employment. All badges, IDs, and tracking/access devices are to be collected on the employee’s last day.

5. Control Physical Access

The most common way that electronic health information is compromised is through lost devices. Many organizations now issue certain staff members laptops and mobile devices in addition to all of the electronic devices, network servers, and computers that stay on site. All of these can be lost or stolen, and the information they contain can be compromised.

Consider using cable locks for computers and restricting access to the most important devices, such as network servers. Sometimes, solutions are as inexpensive and simple as installing locks on doors or moving equipment to lower-traffic areas. Devices should be inventoried regularly to help identify lost or missing equipment.

Looking for More Ways to Keep Patient Data Secure?

Now that we’ve answered healthcare data security FAQs and reviewed five best practices, you might be interested in learning more. We’re here to help — the IntelyCare newsletter is full of free healthcare facility tips, news, and strategies, shared right to your inbox.


Stay in the know

with the latest industry
insights and trends