The key elements of robust data security in healthcare

All over the world, data is being generated, stored and shared at tremendous volume. However, we cannot entrust information to any system without considering the potential for misuse. Data security breaches and cyber-crime are rife in this digital age and data needs to be rigorously protected to avoid unauthorised access and exploitation.

Digitalisation accelerated with force during the pandemic and we now do everything online, including monitoring health and providing and receiving medical care. While the benefits of digitising documents and processes is unquestionable, it has introduced its own challenges too. Especially with the growth of remote working, data is increasingly vulnerable to unwanted exposure – and in the healthcare sector, the impact can be enormous.

A 2021 report found that healthcare is one of the key industries targetted for data breaches and last year saw the greatest ever number of incidents, with 45 million people affected globally – triple the number from three years prior.

In 2022, extraneous factors like the Ukrainian crisis have heightened the threat even further, and the implications are significant. Financial losses are, of course, enormous, not least because of the heavy fines that can be levied in the event of a data breach. But most worrying is the effect on the quality of patient care and the risk of patient privacy being compromised. Data and security breaches can disrupt access to electronic patient records and diagnostic technology, disrupt booking systems and access to appointments, damage patients’ trust in their healthcare providers, and even cause ambulance diversions that delay treatment.

Today, it is absolutely critical for healthcare leaders to be stringent about data security – not just for operational and financial protection, but to protect the health and safety of patients. More than ever before, all health systems and medical institutions should be taking the necessary steps to ensure their data doesn’t end up in the wrong hands.

A modern IT infrastructure
To begin with, modernising IT infrastructure is vital. While 100 per cent protection isn’t possible, thanks to the increasing sophistication and volume of hacking techniques, a modern IT system will support a robust cybersecurity program that can either prevent an attack, or at least improve the speed of detection, containment and remediation if one does occur. This includes things like encryption of stored and transmitted data, recovery and backup systems, and multi-factor login authentication. A security incident response plan should also be developed so that an attack can be identified, evaluated and contained quickly, and to help prevent a similar one in the future.

Granting access to patient information securely
Europe’s General Data Protection Regulation gives all EU citizens the right to find out what personal data organisations hold about them, why they hold it, and any third parties they disclose it to. These are referred to as subject access requests (SARs) and can be submitted via whatever channel the individual prefers. They must be responded to within 30 calendar days. As citizens become increasingly aware of their own data privacy, SARs are expected to increase and healthcare leaders must be prepared to respond appropriately and consistently.

Responding to such requests can be very time-consuming. There is also the risk of granting access to information to an imposter pretending to be someone else. For this reason, it is extremely important for healthcare leaders to be cognisant of the correct procedure for validating identity and granting access securely.

Best practice information security measures
All employees should be provided with clear and concise written policies covering key aspects of information security. This should include the acceptable use of their laptops, phones, and other devices. All employees should also be given cybersecurity training, which will help to keep them alert to potential phishing and malware attacks.

In the case of remote employees, particularly those who handle sensitive records, formal training on your privacy policies and tools to prevent misuse should be provided as well.

For optimal remote working security, it’s advisable to build out official company policies around the following elements: conducting company business on personal computers or phones, copying business records to personal devices, sending business records to personal email or any other email outside your company domain, printing business documents at home and using personal flash drives to store business information.

Healthcare providers must also ensure that any third-party partners are compliant and have suitable data security measures in place too. Every external organisation with access to patient data is another avenue through which data can be exposed.

Secure paper document disposal
Although digital transformation has indeed taken hold within healthcare settings, the industry is still exceptionally reliant on paper records. Therefore, any data security protocol should also account for the secure storage and disposal of paper documentation. Despite long-term innovations and the moves being made towards digitisation, the reality is that paper records will exist in healthcare for a long time to come.

When the time comes for older records to be digitised and physical documents are ready for disposal, they should be shredded in accordance with privacy and data compliance regulations to avoid penalties, fines or legal action. Standard office shredders don’t usually offer a fully compliant process, so an external provider is key. They should be accredited with ISO9001 and ISO14001 standards and comply with EN15713 – the highest levels of security for disposing of confidential data. Furthermore, shredding operations should be fully monitored by 24-hour CCTV, with all materials handled by staff who have been security vetted to BS7858 standard.

Finally, as information compliance is an ever-changing landscape, it can be very valuable to engage consultants who are always up to date with regulations and best practice and can ensure you have effective, cross-functional Information Governance in place. In a world where data breaches have the potential to cause so much damage, prioritising data security in healthcare truly is a must.

Simon McNair is the director of Public Sector at Iron Mountain

Read: What role is Metaverse playing in reshaping the healthcare sector