In the two years since the COVID-19 pandemic started, Americans have lived through the most significant economic disruption since the Great Depression and the deadliest public health event since the Spanish Flu more than a century ago. But the country has also seen an incredible response from health departments and pharmaceutical companies to blunt the spread of the disease while developing vaccines and innovative therapy to protect or treat the infected.
However, the response to this disease has raised many new issues for hospitals, public health departments and medical professionals — how can organizations safely collect and distribute sensitive personal data that is compliant with HIPAA regulations?
The pandemic has seen an explosion in medical records. There are test results for the virus, vaccine records and, for those hospitalized, there is a list of drugs or treatments the patient received. On top of that, public health departments need to keep track of many different figures, like vaccination rates, the number of patients in the state's ICU, or those who have died due to the disease. In short, a large amount of data needs to be collected and shared securely. Here are some strategies and procedures to help prevent this highly confidential information from being breached or misused.
De-identify data
When patient information is shared outside of a healthcare setting, the data should be scrubbed of any information identifying the patient. Various types of software can easily remove personal identifiable information (PII) such as names, addresses, birth dates, and Social Security numbers from records. Without this type of information, the data can still help officials manage the pandemic response with no chance of anyone matching records to patients.
Control of the cloud
Many healthcare systems and departments utilize cloud-based storage for these records. It helps make the data accessible to authorized personnel regardless of where they are or the time of day. Cloud providers can help ensure that the servers run current software and have up-to-date security patches to eliminate known vulnerabilities. The system monitors and logs any attempt to access the system and can recognize brute force attacks as they occur to prevent access.
While cloud platforms maintain the infrastructure configuration and security, it is still the user's responsibility to implement these updates and patch their own environments effectively. The user is still responsible for securing the data that resides within the infrastructure. Security measures such as end-to-end data encryption, two-factor authentication (2FA) go a long way in protecting the data from external threats.
Securing laptops and mobile devices
Today, the majority of people work with laptops or smartphones. They are powerful, convenient and connected. But they can be lost or stolen because they are designed to be easily carried. There are two methods to secure these devices to ensure their information is not stolen.
Cybersecurity teams should encrypt the device using full disk encryption. The system requires the user to enter a password to unlock the hard drive. If they fail to enter the correct password after a few tries, the device locks down and requires a unique key to access the data, which only a system administrator possesses.
IT departments should also set up mobile devices to continuously backup new data to the cloud. That way, if the device is lost, damaged or stolen, the information is still available to be restored on a different device. It is equally important that system administrators have remote access to the device so that it can be remotely wiped if it is misplaced.
Safety never takes a break
Cybercriminals are always looking for ways to exploit vulnerabilities in systems, and public health organizations can be targeted. For that reason, cybersecurity professionals need to monitor their systems constantly, make sure they run the latest updates, encrypt data, and retain the ability to wipe devices remotely. Failing to take these precautions can lead to significant monetary penalties or reputational harm. Employing them, however, is not onerous or expensive, and the investment will be cheaper in the long run.