Wednesday, May 22, 2024
HomeBlogThe harsh reality of data security in healthcare

The harsh reality of data security in healthcare

Healthcare organizations will always need to store and transfer personal health information, often referred to as Protected Health Information (PHI).

Prioritizing data security will remain crucial to protect against cyberattacks and data loss to keep PHI secure.

A survey by the American Medical Association revealed that 92% of patients believe that the confidentiality of their health data is a right and that it should be protected. But data having to be portable and shareable at any time is no easy feat.

Protecting PHI may seem like a small thing. But a violation can have far-reaching consequences. For example, Scripps Health agreed to pay a $3.5 million ransom after a 2021 ransomware attack.

Without wanting to be alarmist, we must be realistic and recognize that the number of breaches involving healthcare entities is increasing.

Malicious actors understand the value of compromising healthcare data, and ransomware attacks are growing rapidly, making the healthcare industry a strategic target worldwide.

What can be done to ensure strong data security?

Safety and medical icons. Concept of data security issues for healthcare organizations.

Simply put, meeting these unique challenges and complying with ever-changing regulations is entirely possible.

Simply make data encryption a key part of any healthcare organization’s security strategy.

After all, what can be seen can either be attacked or secured! This is important to know when considering your data security plan.

At Kingston, we know that  adequately protecting health data  is a serious matter. When encrypting health data to keep it secure, there are several points to consider.

First, it’s important to understand the value of data encryption for regulatory compliance. HIPAA and other international regulations like GDPR and CCPA impose requirements for encryption of personal data.

By using encryption, healthcare organizations can protect themselves from the consequences of a data breach and remain compliant with these regulations.

But even choosing encryption is a tricky task, because there are generally two types: hardware encryption and software encryption.

Understanding the difference between software and hardware encryption has implications for the security of patient health data. Software encryption is often cheaper to implement initially, but its security depends on the host system.

Therefore, it is much more vulnerable to hacking because the passwords or recovery keys are located in the host system’s memory, in the paging and hibernation files. Additionally, many encrypted file formats can be attacked using software tools found on the Internet for free or at minimal cost.

They can perform brute force password attacks to break the authentication process. Today’s computers are capable of testing 1 or more billion passwords per second.

Software-encrypted files can also be copied and attacked in parallel by a network of computers, further reducing the time required to carry out Brute Force attacks.

Hardware encryption is a dedicated security ecosystem contained entirely within the storage device, whether it’s a USB drive or an external SSD.

Hardware encryption is always active, protecting data at all times, while anyone can remove software encryption from a drive simply by reformatting it.

For healthcare providers, this means that a malicious employee can disable protection and turn a software-encrypted drive into an open-access storage device.

Also, in general, hardware encryption is exponentially more secure because it does not expose passwords and encryption keys to the host system.

However, this added security comes at a higher cost compared to unencrypted storage drives. Given that the average breach costs over $4.35 * million in the United States in 2022, the savings from choosing software encryption may be illusory.

Especially considering that there are much better solutions for mobile data: USB drives and external SSDs with 256-bit XTS-AES hardware encryption that include protections against Brute Force and badUSB attacks.

If a hardware-encrypted external SSD is lost, it is reasonable to assume that it will remain secure and continue to protect PHI data with its enhanced security.

The Kingston IronKey XTS-AES 256-bit hardware-encrypted drive line offers several user-friendly options that address user security frustrations.

They support multiple passwords to allow users or providers to regain access to drives if a password is forgotten. Now there’s an alternative to complex passwords that no one remembers: passphrases.

Of 64 characters maximum, it can be the title of a book or a song, a list of words, a line from a poem or a song, for example. They are easy for doctors and other healthcare professionals to remember but almost impossible for attackers to hack.

Indeed, the disk is locked in the event of a Brute Force attack and an encrypted erase is carried out if too many incorrect passwords are entered.

Passphrases are available on the Vault Privacy 50 , 50C and Vault Privacy 80 External SSD. Keypad drives like the Vault Privacy 80ES and Keypad 200 are PIN-based and similar in usage to Cell phone PIN codes, for people who prefer to use a PIN code.

The VP80ES also supports passphrases using an alphanumeric keypad on a touchscreen.

Overview of the different hardware-encrypted Kingston IronKey drives. Hardware-encrypted USB and SSD drives.

All IronKey drives feature strong protection against brute force password attacks. When an attacker tries to guess a password, the disk counts the number of failed entries and, after a certain number, locks the User passwords.

When Admin password attempts are exhausted, the disk will automatically encrypt and all data is lost forever. Software encryption is incapable of providing such protection against such attacks.

Operating system-agnostic drives like the Vault Privacy 80ES and Keypad 200 are ideal for protecting data transferred between medical machines and computers.

However, this type of transfer is widely used for many devices used in health services. For example, many laboratory machines require technicians to manually transfer data into the provider’s computer system.

Healthcare workers in meeting with laptops.

In addition to hardware-encrypted devices, healthcare organizations should consider additional cybersecurity measures, such as training employees on best practices, implementing multi-factor authentication, and regularly updating software and hardware.

systems. Even for small healthcare providers, regular backups to hardware-encrypted external SSDs can make the difference between falling victim to a ransomware attack and being able to quickly recover systems.

By taking a layered approach to security and integrating data protection into employees’ daily habits, healthcare organizations can effectively protect patient data.

Integrating Kingston IronKey hardware-encrypted drives into your data security strategy is an effective way to ensure compliance with HIPAA and other healthcare data protection regulations.

You can find other Kingston IronKey products to meet healthcare data security needs. Additionally, the “Ask an Expert” service can help you keep your patient data secure.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments