The warning bell’s been ringing for a few years now, but it looks like reality is finally starting to hit the healthcare industry — criminals have figured just how valuable healthcare information is.
Sitting at 50 times the value of credit card data, it’s no wonder, so many cybercriminals target healthcare organizations. Unfortunately, cybercrime isn’t the only or even the main threat healthcare security professionals should be concerned with. A report from Protenus Breach Barometer reveals that while hacking accounted for 32 percent of breaches during a period in 2017, it was beaten out by insider error and wrongdoing at 41 percent.
Hospitals and healthcare providers who want to prepare for the impending rise of threats to patient data will leverage an understanding of the physical safeguards needed to keep their facilities dynamic and prepared for the future of healthcare security.
What Are Physical Safeguards?
Before we examine the part physical safeguards play in any patient data protection strategy, it’s helpful to cover how HHS defines them,
Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires covered entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity’s premises or at another location.
This is just the beginning though. Most data storage lives in the digital realm, but physical safeguards still matter on a broad level, largely because much healthcare information is still stored physically and access to systems and storage is still largely tangible. For example, think of all the mHealth devices — laptops, tablets, smartphones, etc. — that provide access to the digital data that’s so valuable to criminals.
To get a solid grasp on physical security, it can help to think of physical safeguards from three different perspectives:
Access controls (how an organization decides to vet and manage who can access and view health information) are a pillar of medical record security at any facility, with most occurring at a macro level (e.g., doorways and building alarm systems vs. cabinets and storage). As simple as this might seem, studies indicate that many facilities aren’t taking access controls seriously.
A Ponemon Institute study reveals that 65 percent of providers indicated they had access to patient information they didn’t need to fulfill their duties, and that 56 percent believed their organizations protected company data at only a low to moderate priority level.
Facility security is the primary line of defense for multiple vulnerabilities in healthcare organizations. This includes physical information but also health information storage devices that grant convenient access to large amounts of sensitive data. It also protects the equipment itself, which can be attractive to criminals interested in profiting from the sale of medical devices.
Proper disposal of PHI isn’t mentioned as often in the physical security discussion, but with accidental breaches popping up in the news on a regular basis, prioritizing proper storage and disposal processes should be a priority for any facility.
The Key Layer of Physical Security
It’s important to keep in mind that physical security doesn’t exist in a vacuum.
Modern healthcare organizations should be taking a layered approach to data security that incorporates and aligns physical, logical, and compliance-based security. This holistic approach isn’t effective without a robust hospital physical security strategy.
Take for example “The Microfiche Incident” at Texas Health Harris Methodist Hospital Fort Worth just a few years back. A portion of microfiche that should have been destroyed by a paper-shredding vendor was found to have removed from a reportedly secure locker and later found in a park. That microfiche included patient names, addresses, dates of birth, medical record numbers, clinical information, insurance information, and some patient Social Security numbers.
Even today, medical data storage involves backup tapes, recovery drives, and rack lockers meaning that physical security has to include not only ID checks and video monitoring, but also more modern solutions like biometric and RFID access control.
The Future of the Dynamic Healthcare Organization
Too many healthcare organizations are left playing catch-up to the world of physical data security, largely because they’re approaching these questions as an afterthought instead of incorporating physical safeguards and data security planning in the early stages of building and design.
Addressing these issues in the future will require moving past reactive habits and into an era where strategic handling of data security meets our advanced use of that same data to enhance the patient experience and outcomes. Physical security is a foundational consideration in that evolution, which is why Senseon focuses our years’ of engineering experience to create access control solutions that help any organization step into the future of dynamic healthcare.
To learn more about the future of access control that protects not only your data and medication but also allows for activity monitoring and unobtrusive integration into your facility’s aesthetic, start here.