How to maintain patient information security

How to maintain patient information security

As the healthcare sector adapts in the wake of the continuing pandemic, the increasing digitisation of healthcare services and patient information poses ongoing challenges, particularly around the protection of personal data and patient confidentiality.

Digital transformation has been key to streamlining services and optimising administration systems so that healthcare professionals can be more available and able to do their work. However, with the introduction of electronic health records (EHR), the threat of data breaches and hackers accessing confidential information via patient records has inevitably become higher.

Data protection acts help to keep patient data secure

In 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR). This affected how the data of European citizens were handled and stored across the world, not just in Europe. Some of the latest Caribbean countries to enact their own set of data privacy laws similar to Europe’s GDPR, are Barbados and Jamaica.

The Barbados Data Protection Act was passed in 2019 and became fully enforced in 2021 to allow time for staff members within organisations to familiarise themselves with the Act and to ensure compliance. In the same way, Jamaica’s Data Protection Act was passed by the Senate on June 12, 2020, but the supporting regulations are still pending. The transitional period in which to comply is projected to potentially run into 2023.

The Jamaica Data Protection Act details eight standards that appointed data controllers must uphold when processing personal data such as health information:

  • Fair and lawful processing

Data must only be processed if the subject gives their consent to the processing of personal data, and this consent has not since been withdrawn. For the processing of sensitive data, consent must be written.

  • Obtained only for specified lawful purposes

Data should be collected only for specified and lawful purposes and should not be processed in any manner that is incompatible with those purposes. 

  • Data quality

Personal data collected must be adequate, relevant, and deemed necessary in relation to the purpose for which the data is processed.

  • Accurate and up to date

The data should be accurate and kept up to date when necessary.

  • Limited retention

The data should not be kept for longer than necessary and when disposed of it should be in accordance with regulations.

  • Processed in accordance with the rights of the data subjects

The Act outlines the rights regarding access to personal data, processing data for direct marketing, and failure to comply with a notice.

  • Protected by appropriate technical and organisational measures

Additional technical and organisational measures are requisites, as is the allocation of a data controller.

  • International transfers

Similar to the GDPR, the transfer of data outside of Jamaica is prohibited unless an adequate level of protection can be ensured. 

What security measures and safeguards can healthcare providers enforce?

Guaranteeing patient privacy is of primary importance, so as well as observing legal obligations, how can healthcare organisations protect themselves against cyberattacks?

Control data accessibility

The Health Sector Cybersecurity Coordination Centre (HC3) which is part of the U.S. Department of Health and Human Services (HHS) released a brief in April 2022 called Insider Threats in Healthcare which highlighted the importance of controlling data accessibility. Only 14% of insider threat incidents were malicious but 61% were due to negligence and 25% specifically due to stolen credentials. For this reason, patient information should be accessible on a need-to-know basis. Limited numbers of staff should have the ability to grant that access. The protected health information (PHI) should be viewed briefly and never left unlocked or unattended.

Coach employees on how to be vigilant and recognise potential attacks

People are generally more aware of cyber scams and what a phishing email looks like, for example. These usually contain a link or an attachment that when clicked or opened releases malware that extracts personal data. But training staff to spot various cybersecurity threats or suspicious behaviour will help them to feel more familiar with common tactics and so be more confident to raise the alarm.

Secure wireless networks and messaging systems

More wireless connections mean more possibilities of attack and organisations can de-prioritise wi-fi security when the feeling is that it’s primarily used by patients on their own devices. These networks require as much vigilance as any other within the organisation. Passwords can be regularly updated as a matter of routine and not publicly displayed. Firmware should be routinely checked for updates, as these contain vital security patches that prevent hackers from accessing your network. Removing ex-employees from whitelists for messaging services and deactivating their accounts avoids any malicious or unintentional breaches.

Implement endpoint protection solutions

An endpoint is the point at which two software programmes communicate with each other. As more devices become connected to one another and different platforms share information, the number of these endpoints increase. Monitoring each endpoint is vital to ensure healthcare data security. Application whitelisting and access control practices such as authentication help to verify legitimate users and protect all possible endpoints.

Regularly carry out an audit of devices that data passes through

Devices that measure patient data are often connected as part of the Internet of Things (IoT). Because they contain smart sensors, they can inadvertently become connected to other devices or be more vulnerable to cyberattack if not routinely checked for security threats. IT departments can carry out risk assessments and provide staff with support to make sure that any personal devices are protected in line with security policies. Software tools can help to identify when new devices enter the network and help to maintain an inventory of recognised devices.

Go one step further with device encryption

Ideally, all mobile devices and laptops used by clinicians, members of staff, business associates, and carers with access to the personal healthcare information of patients should be encrypted. Encryption bolsters cybersecurity defences because a key is required to break the code which is more likely to deter cybercriminals. Medical records themselves and sensitive information may also be encrypted.

Become a leader in healthcare management with an MBA

The healthcare system and all associated organisations, from hospitals and mental health facilities to diagnostic centres and pharmaceutical companies, are more and more subject to cybercrime and susceptible to threats such as ransomware attacks. A study of healthcare cyberattacks in over 30 countries carried out by the CyberPeace Institute showed that between June 2020 and September 2021, over ten million medical records were stolen.

Patient safety is a priority for the healthcare industry and offering patients reassurance of their personal healthcare information security is integral to this. Discover how to implement security policies and protocols effectively with a 100% online MBA Healthcare Management from the University of the Commonwealth Caribbean and secure a qualification that supports your career progression.