The advancement of technology can be a double-edged sword in healthcare. Through technological advancements, we can make the lives of our staff and our patients much easier and make healthcare more accessible. However, with the same advancements in technology, cybercriminals are finding new ways to breach into healthcare systems and take what they want. We can’t give up the digital transformations we’ve made in our organizations but we also can’t ignore the looming threat of security threats and ransomware attacks. So what is the balance between the two? How can healthcare organizations ensure the security and privacy of patient data while managing large volumes of electronic health records (EHRs)? We reached out to our incredible Healthcare IT Today Community for their insights into this question and the following is what they had to share.
Andrew Hines, Chief Technology Officer at Canvas Medical
While managing large volumes of electronic health records, it’s critical to keep patient data safe and secure. Healthcare organizations need to prioritize this, but shouldn’t try to reinvent the wheel. Choose a cybersecurity framework like HITRUST, apply it, and get external auditing and validation to ensure security. Also, make sure your core IT vendors — especially your EHR and any analytics vendors — do the same.
Flavio Villanustre, SVP, Technology & Global Information Security Officer at LexisNexis Risk Solutions
Although securing data in today’s complex healthcare technology infrastructure environment can be very challenging, there are a few key rules of thumb that when applied comprehensively can help reduce the likelihood of a catastrophic incident. Since most incidents start with a compromised individual account through a malicious email, security awareness is paramount. Additionally, enforcing strong multi-factor authentication in every system can help mitigate the impact of a compromised identity.
Besides these measures, protecting sensitive data in transit and at rest through robust encryption and mature key management processes can act as a layered control to ensure that data cannot be improperly accessed if it leaks through any other mechanism. Finally, since threat actors can find ways into the environment containing sensitive data despite comprehensive preventative measures, segmenting the environments to prevent lateral movement and continuous vigilance through adequate attack detection mechanisms is key.
James Rice, Vice President of Solutions Engineering at Protegrity
Healthcare organizations can ensure secure patient data by enabling advanced data-centric security, including tokenization, masking, and anonymization, to ensure sensitive information remains protected and obfuscated while at rest, in transit, or in use. These privacy-enhancing techniques help protect sensitive health information at the source while also maintaining usability across large-scale EHR systems. By integrating data protection and privacy directly into the data itself, organizations will be able to unblock sensitive EHR data for internal and external consumption while also ensuring that even if a breach occurs, the patient information remains inaccessible and unusable to unauthorized or malicious users.
Shay Perera, Co-Founder and CTO at Navina
As healthcare organizations manage ever-growing volumes of digital patient data, ensuring security and privacy requires more than just technical defenses. It involves a comprehensive approach that integrates strong governance policies, advanced technology, and vigilant human oversight. At the same time, it is important to remember that security is not only an end in itself but also a crucial enabler of quality care. Proper treatment of patient data allows the harnessing of this information to deliver the best possible care. This should always be the guiding principle.
A critical strategy for achieving this goal is the adoption of multi-layered defense mechanisms, including encryption, data masking, continuous monitoring, and regular security audits. It’s equally important to embed these security measures seamlessly into workflows so they don’t become barriers that slow down care delivery. Ultimately, healthcare organizations must implement systems that are secure by design, yet flexible enough to meet the fast-paced demands of modern healthcare environments.
Thomas Kavukat, Chief Technology Officer at RXNT
Security and privacy are paramount in any healthcare organization, whether you’re an established practice with huge volumes of records, a growing practice with increasing volumes of records, or especially a practice still trying to convert from paper records. There are a number of important factors to consider to protect your valuable patient health information (PHI), many of which revolve around your medical software provider:
Where is your vendor hosted? Is that host SOC-2 Type II certified? Hosting providers aren’t created equal—make sure you understand the risks and benefits of AWS, Azure, Google Cloud, Oracle, etc. All hosts will ensure strict security protocols, but compliance standards vary, and it’s up to the vendor to maintain tight configurations and standards of their own.
Is your software cloud-based or server-based? They each provide varying levels of risk, but at their core, server-based platforms are stored and managed on your organization’s premises via local servers, and all setup, maintenance, updates, and security need to be managed by the user. In contrast, cloud-based platforms store data on secure, encrypted external servers accessible via an internet connection, and maintenance, security, and updates are conducted regularly and automatically for the user.
Does your vendor maintain proper certification and compliance? Look for HIPAA compliance, EPCS compliance, HITRUST certification, ONC Certified HIT certification, SOC-2 Type II certification, and more.
What security measures does your platform implement? Look for a variety of security measures like encryption of your data at rest and in transit, multi-factor authentication, backups and recovery systems, limitations and controls on user access, security assessments, and more.
Additionally, there are many steps that can be taken by healthcare organizations to prevent breaches in security and privacy, such as:
- Regular training on HIPAA best practices and data security protocols
- Converting paper records, notes, encounters, bills, etc. to more secure digital storage
- Establishing “minimum necessary” rules to limit the usage of data to only what is needed for the disclosed purpose
- Outlining clear security and privacy policies for all employees, and accountability for those protocols and policies
- Limitations on patient data access based on role or tenure with user controls, ensuring only authorized personnel can access information
Saji Rajasekharan, Chief Technology Officer at Experity
Healthcare organizations can ensure the security and privacy of patient data while managing large volumes of EHRs by leveraging robust health information management practices alongside secure, integrated EMR and practice management (PM) systems. These practices play a critical role in maintaining data accuracy and compliance with regulations like HIPAA, while EMR and PM systems ensure data is encrypted and accessible through role-based controls. Seamless integration between EMR, PM, and health information management systems streamlines data handling and reduces risks. With regular updates, staff training, and best practices, patient information can be better protected, allowing organizations to securely manage operations while also ensuring patient privacy.
Jitin Asnaani, Chief Product Officer at Rhapsody
Healthcare organizations can secure patient data while managing electronic health records (EHRs) by following a few essential steps
- Choose Certified EHR Systems that Meet Strict Security Standards: this will ensure strong access controls, encryption, and audit logging; implementing robust user access measures—like automatic time-outs and emergency access—helps prevent unauthorized access
- Data Encryption is Crucial: Organizations must protect patient information both when it’s stored and by using secure protocols like TLS during transmission; regular audit logging allows for tracking how patient data is accessed or modified, helping to spot potential security issues
- Assess Security Practices and Verify Industry Standards: This is important when selecting software vendors as well as ongoing training for staff on data security best practices to reduce risks related to human error
- Verify Vendor Data Security, Privacy, and Cybersecurity Governance: For example, ask for ISO 27001 or SOC 2 Type 2 reports and the statements of applicability; validate that the EHR system is fully covered by these governance programs
Keavy Murphy, Vice President of Security at Net Health
To ensure data privacy in healthcare applications, proactive cybersecurity measures are key. Code scanning plays a crucial role in securing Protected Health Information (PHI) before applications or software are delivered to end users. Code scanning involves the thorough examination of software code for vulnerabilities and security flaws prior to deployment and is considered a key step in a robust software development lifecycle (SDLC). It is among the most effective ways to identify areas that may be exposing sensitive data, including PHI.
Healthcare organizations should verify that the technology they rely on to manage large volumes of EHRs is code-scanned prior to use. To do so, they should conduct proper due diligence on all healthcare software vendors to confirm if they utilize reputable tools for scanning and vulnerability management. If these technologies are created in-house, the organizations must also invest in scanning tools to assess their code as a risk reduction measure. Since vulnerabilities in code can be exploited by malicious actors to exfiltrate sensitive EHRs, code scanning remains a crucial measure to protect healthcare facilities and their patients.
David Slazyk, Chief Information Officer at Nextech
Health Information Management professionals must stay grounded in privacy and security best practices to safeguard large amounts of valuable patient data. Frameworks such as Zero Trust are vital to this process, going beyond basic privacy standards, including HIPAA, and taking cybersecurity parameters further. Compliance is important, but healthcare leaders can’t stop there. Maintaining an ultra-secure yet adaptable approach to patient data must be a top priority amid evolving cyberattacks. Proactive defense against cyberattacks is the best way to protect patient information.
Additionally, AI continues to be a strategic focus for many technology executives; however, these leaders must evaluate AI solutions before implementing this technology into their systems. Responsible data stewardship is imperative for any healthcare organization, so constant discernment, education, and risk assessment are needed to integrate emerging technology properly and understand AI’s best uses and pitfalls within your organization. With an informed, thoughtful approach and strategic IT team, AI has the potential to enhance and improve data integrity processes.
So many great insights here! Huge thank you to Andrew Hines, Chief Technology Officer at Canvas Medical, Flavio Villanustre, SVP, Technology & Global Information Security Officer at LexisNexis Risk Solutions, James Rice, Vice President of Solutions Engineering at Protegrity, Shay Perera, Co-Founder and CTO at Navina, Thomas Kavukat, Chief Technology Officer at RXNT, Saji Rajasekharan, Chief Technology Officer at Experity, Jitin Asnaani, Chief Product Officer at Rhapsody, Keavy Murphy, Vice President of Security at Net Health, and David Slazyk, Chief Information Officer at Nextech for taking the time out of your day to submit a quote to us! And thank you to all of you for taking the time out of your day to read this article! We could not do this without all of your support.
How do you think healthcare organizations can ensure the security and privacy of patient data while managing large volumes of electronic health records (EHRs)? Let us know either in the comments down below or over on social media. We’d love to hear from all of you!
No comments:
Post a Comment