Tag: security breaches

03 Oct 2019

A Sensitive Issue: Secure Message Encryption for Large Healthcare Networks

Large regional health authorities can employ thousands of people and have a volunteer network in the thousands or tens of thousands. And, since health authorities send, receive and store so much personal and medical data, secure communications are essential.

Here’s why healthcare organizations are vulnerable to privacy breaches, the consequences of mishandling patient data and how encryption makes secure communications possible for health authorities with a large staff and volunteer base.

Why healthcare organizations are vulnerable to privacy and security breaches  

According to a recent report[i], 18 per cent of all cybersecurity breaches happen in healthcare. And internal actors—including employees, former employees, contractors and business associates—cause 59 per cent of the breaches in healthcare.[ii]

Here’s why healthcare organizations including health authorities are vulnerable:

 

  • Lack of training for staff and volunteers – The top two patterns in healthcare breaches relate to miscellaneous errors and privilege misuse. Privilege misuse is about employees peeking into patient records that they have access to but shouldn’t be looking at. Training can help build a culture of privacy and security at healthcare organizations and help staff understand the real consequences of snooping. In 2018, for example, The Ottawa Hospital fired an employee for peeking at 30 patient files and the year before, a student intern was fined $25,000 for accessing the personal health information of 139 people (also in Ontario).

 

  • Outdated communication tools – Some communication tools simply aren’t secure. This includes old pager systems used to send messages—including patient information, diagnoses and hospital room numbers—over unencrypted radio frequencies. When unencrypted communication methods are the path of least resistance, they’ll continued to be used, despite privacy issues.

 

  • Inconsistent mandatory reporting – While mandatory reporting of data breaches is standard across most states and Europe, that’s not the case in Canada. Reporting data breaches isn’t yet mandatory in Manitoba, Quebec or British Columbia. Mandatory reporting is positive because it brings breaches into the public eye—which can encourage organizations to act quickly to resolve security issues.

 

The consequences of mishandling patient data

In Canada, heath information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). When health authorities mishandle patient data, patients lose trust in them, they come under fire from local privacy watchdogs and they can incur significant costs and fines. For example, at Capital Health in Nova Scotia, one employee improperly accessed the private health records of 105 people over six years—which cost Capital Health a $400K settlement.[iii]

For healthcare organizations with a large employee and volunteer base, encryption reduces the likelihood of mishandled patient data while increasing cybersecurity.

What does encryption do?

Encryption converts data and information into a code to prevent unauthorized access to the data while it’s in transit and at rest. It simply means private information is kept private. When choosing an encryption solution, algorithms aren’t the primary differentiators because almost all contemporary security products feature 2048-bit RSA encryption, 256-bit AES encryption and SHA2 signatures.

Instead, the real encryption differentiator is customer experience—how easy is it for patients, employees and volunteers to use the encryption solution? Our OneWorld encryption platform is user-friendly and seamlessly integrates into existing workflows.

5 ways the OneWorld encryption platform makes secure communications possible for health authorities

 

  1. Automatic encryption – Policy-based encryption allows you to automatically secure communications based on their content. For example, with Echoworx’s OneWorld encryption platform, emails with sensitive information—including protected health information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.

 

  1. Reporting and monitoring – In cybersecurity, it’s important to be able to identify and investigate irregular communications. For example, you should be able to see who sent any email you’re reviewing, when it was sent and whether it was opened or not. Reporting and monitoring helps you reduce the risk of internal cyber vulnerabilities.

 

  1. Communications control – With so many employees, volunteers and healthcare partners, it’s easier than ever for sensitive data to leave the safety of your corporate network, either intentionally or accidentally. You can prevent this with communications controls such as preventing email forwarding, setting automatic encryption based on the type of email, keywords, phrases and attachments and enabling a single sign-on solution—to keep sensitive information on your protected network.

 

  1. Path of least resistance – With a user-friendly encryption platform in place, regional health authorities maintain control over their communications and make security the path of least resistance for their end-users. If an encryption platform makes more work for employees, they won’t adopt it. But when it seamlessly integrates into existing daily tasks, they will. User-friendliness isn’t a nice to have; it’s what makes widespread implementation possible.

 

  1. Positive return on investment – While encryption is no longer optional, health authorities can save money by investing in the right platform. For example, the Forrester Total Economic Impact™ study revealed that organizations that adopt Echoworx’s OneWorld encryption platform can expect a return on investment of 155 per cent, a payback period of seven months and the unquantified benefits that come with enhanced customer experience and reduced downtime.

 

If your regional health authority has thousands of employees and volunteers communicating with patients and other healthcare organizations, choosing the right encryption platform is an essential part of your cybersecurity program. Why wait? Reduce the likelihood of mishandled patient data by enabling automaic encryption for thousands of employees. Contact us today.

By: Michael Roberts, VP of Technology, Echoworx

 

Source:

[i] Cyber Security and Healthcare: An Evolving Understanding of Risk (Symantec)

[ii] Verizon’s 2019 Data Breach Investigations Report

[iii] https://www.cbc.ca/news/canada/nova-scotia/capital-health-privacy-breach-proposed-settlement-1.4858784