Chiropractic + Naturopathic Doctor • May 2018 • Data Diligence

In 2017, headlines from across the world showcased hackers targeting multinational corporations, government agencies and charities, among other organizations. As executive leaders recognize the impact of cyberattacks, more organizations are prioritizing security.

While organizations that collect private data – for example, credit card information or home addresses – have been hit hard, a top-targeted industry for cyberattacks is health care. Hospitals, doctors’ offices and other clinics are at risk of an attack because most systems contain electronic health records (EHRs) full of valuable data, such as social security numbers, birth dates, and billing and health information. Health care organizations are most likely to pay ransom because the compromised data is time-sensitive and can damage their reputation.

Most hospitals have dedicated IT security staff, but primary care clinics often don’t have the same sophisticated IT infrastructure in place to prevent, detect and respond to breaches. Yet after a string of attacks, it’s clear security must be everyone’s business, at every endpoint.

This is complicated by the nature of the health care industry today: clinicians and health care staff are highly mobile, and a typical day means going from patient room to patient room, and from one specialization to the next. This extends outside the hospital itself since information is needed from remote locations like home offices. The data contained in EHRs often follows a long care journey – from primary care physicians, to hospitals, to specialist offices such as chiropractors – with many opportunities for tampering. So, while EHRs have enhanced the digitization required for health care, having digitized data can bring new challenges of its own.

An array of new internet-connected medical devices pose additional challenges for health care providers because they are easily hackable and can put patients at risk. Without shying away from adopting new technology, while also keeping patient information safe and making privacy a priority, what can health clinics do to secure their patient’s health data?

Creating a secure digital workspace ensures medical professionals get the benefits of mobility without the vulnerability. And, while completely eliminating risk is never possible, there are ways companies can manage risk in smart, secure ways.

Virtualization is one method of managing risk. Virtualization is concerned with where the data behind the desktop is stored. If a doctor can log into a work desktop from multiple computers, that means the desktop is virtual and accessible from anywhere. The data is stored on the servers, and just being accessed through the computer, nothing is stored there. So, imagine being able to access a virtual desktop from anywhere – your phone, or your laptop.

Virtualization enhances security because data remains protected at the data source – the server or the cloud – rather than the user’s device. Often these “endpoint” devices are the most vulnerable to threats like malware and phishing. This extra layer helps protect patient information by storing it in a centralized, secure data center.

In the health care industry, more hospitals and clinics are starting to adopt virtualization for several reasons. For example, regardless of practice size, health care organizations generate copious amounts of data and don’t have the capacity to store it, or the hiring capacity to manage it with designated IT staff. Having a third-party technology vendor that specializes in virtualization allows hospitals and other health organizations, such as chiropractic offices, to store the data and get the expertise they need without having to hire.

As work becomes increasingly mobile, it is not enough to simply have access to your files; you must be able to access, sync and share files from any device to the rest of your team, at any time, and from any location. This capability is especially crucial in health care, which is time-sensitive and urgent, and where having up-to-date information is vital.

Health care operations should always be looking for ways to improve service, lower costs levied to patients, and provide ease of mind. With secure data management tools and policies, keeping patient data secure and providing a seamless user experience can complement instead of compete with one another

CHING MAC is responsible for the overall management of the commercial business across the Citrix product portfolio, leading teams focused on field and channel engagement with end customers. He has been at Citrix for 13 years, previously holding several leadership positions on the Canadian management team. citrix.com

The Canadian Medical Protective Association’s (CMPA) October 2013 publication, “Protecting patient health information in electronic records,” suggests considering the following tips when using electronic records and other technologies:

○ Be aware of and follow relevant guidance from Colleges or other authorities, as well as the privacy legislation that applies to your practice and jurisdiction.

○ Use data sharing agreements to clarify obligations when sharing patient information.

○ Refrain from removing unencrypted, identifiable personal health information from the health care institution’s premises and from storing identifiable personal data on unencrypted mobile devices.

○ Follow the health care institution’s privacy policy and procedures, and access agreements.

○ Use encryption for patient health information stored on a desktop, a laptop, or a mobile device. Determine if better protection is needed for any mobile devices containing patient health information, including the ability to remove data remotely should the device be lost or stolen.

○ Refrain from using public wireless networks (hotspots) and free email services to access or share patient health information.

○ Remember to update electronic security measures including password protection, encryption software, and any required security patches.

○ When disposing of any device, ensure patient information is permanently deleted or irreversibly erased.