Healthcare providers are no strangers to data security. When it comes to HIPAA, for example, they’ve long known how important it is to keep patient information safe and secure from prying eyes.
With so much hospital information now stored in digital form, primarily in databases, the need for strong hospital data security has never been greater. But what are the risks of database intrusions? And how can hospitals make sure their databases are as secure as possible?
Database Security Risks for Hospitals
Practically all the information hospitals collect, store and use exists in any number of databases. Everything from patient information (EHRs) to patient satisfaction systems, lab processing to employee records, financial results to billing and payment processing – most any application you find at a hospital runs on a database.
With that massing of data comes a certain amount of risk, much of it unexpected. Hackers have been diligent in their search for structural weaknesses they can exploit in databases. The Office of Civil Rights reports that, in 2015, more than 112 million patient records were compromised. Cybercriminals continue to try to gain access to healthcare records, which they see as a valuable commodity.
One of the more recent trends is the abundance of ransomware, which cybercriminals use to hold data hostage while demanding a ransom that must be paid before the data is released. Some hospitals feel they have no choice but to pay the ransom – such as the nearly $17,000 one Los Angeles hospital paid in 2016 to regain access to its computer systems – or else suffer the dire consequences of starting over from scratch.
As more and more hospitals look to the cloud as a way to share data and streamline internal processes among their employees, cybercriminals are hard at work searching for ways to break cloud security and steal patient records and other data. Utilizing mobile devices like smartphones, tablets and laptops can also create security issues.
How Can Hospitals Keep Databases Secure?
There are a number of best practices hospitals can follow to strengthen security around their database information. Here are a some of the most common:
- End-to-end Encryption. Data is most vulnerable not when it’s created or stored but when it’s transmitted between devices. It’s important to make sure sensitive data is encrypted when it’s sitting idly in storage or being used in an application. It’s even more important that it be encrypted when being transferred, such as between internal systems and the cloud or between a network server and a mobile device.
- User Security. It goes without saying that strong passwords are essential for protecting data like patient information. Passwords should include special characters and be changed frequently. Even better would be a combination of a strong password and PIN code – such as those generated by a security token – to gain access to an application housing sensitive data.
- System Backups. Backing up data is a necessary step for any security best practice. If data is lost or stolen, it can be restored. But backups should be made on a different network from the live data. Otherwise, cybercriminals can highjack both the live data and the backup data. The backups should also be encrypted to prevent unauthorized access.
- Cloud Security. The convenience of the cloud is indisputable, as mobile devices make it easier for doctors and other practitioners to access patient information wherever they are. But cloud systems also create a riskier environment, where hackers can more easily intercept and steal data. It’s vital for hospitals to employ a cloud provider that understands and actively monitors cloud security.
- Securing Input and Output Files. Cybercriminals can target not just your databases and backups, but the files that ordinarily flow into and out of your databases. If these input and output files – such as reports and work files – contain sensitive information, they should be classified and secured to prevent cybercriminals from obtaining their contents.
- DBA Service Providers. When considering healthcare security solutions, hospitals might consider contracting with a database administrator (DBA). A quality third-party vendor can provide hospital IT solutions that both optimize database efficiency and protect the hospital from cyber attacks.
Hospital data security should be viewed as part of an overall strategy for managing database information for the best benefit of the hospital. A knowledgeable and sophisticated DBA expert can help hospitals protect their data. A DBA expert can also help hospitals use this data for business intelligence (BI) purposes beyond the scope of each individual database application.
HIMSS, the Healthcare Information Management Systems Society, is continually helping healthcare providers evolve and stay secure through the use of information technology. RDX will be exhibiting at HIMSS18, taking place March 5-9, 2018, at the Sands Expo Center in Las Vegas. We hope to see you there.