According to a study by IBM, the costs of HealthTech-related data security breaches in 2020 reached a whopping $8.64M in the U.S. alone. The best way to avoid becoming part of this statistic is making sure your software is HIPAA compliant. Here’s what you need to know.
The state of data security in healthcare
The global digital health market is on the rise. As of 2019, its total worth was estimated at $111.4 billion, with forecasts predicting it will reach a whopping $510.4 billion by 2025. This means that between 2020-25 its CAGR (Compound Annual Growth Rate) will be 29%.
However, with the number of digital health solutions appearing on the market – especially in the midst of the COVID-19 pandemic – security breaches in healthcare are becoming a top concern. According to a recent study by SecurityScorecard and DarkOwl, there is an alarming “upward trend in the number of dark web and deep web results containing mentions of the top 20 telehealth companies”.
What can software companies do to defend themselves against these digital threats? They must ensure that they meet the highest security standards, which can be achieved by HIPAA compliance. In the following article, we’re going to take a look at what HIPAA is, discuss the threats to data security in healthcare and explain what HIPAA compliant software should include. Whether you’re a product owner or marketing executive looking to understand HIPAA compliance, or a researcher at a healthcare company, this resource will help you understand how you can improve your digital product’s security.
What does HIPAA mean?
Quick recap – HIPAA is a law introduced in the United States in April 2003 with the aim of providing privacy standards to protect medical records of patients and other health information included in health plans shared with doctors, hospitals, and other healthcare providers. The acronym itself stands for the Health Insurance Portability and Accountability Act. It gives patients access to their medical records and grants them more control over how their health information is used and distributed.
Five threats to data security in healthcare
Now that we’ve answered the question – what does HIPAA mean, let’s take a look at some of the data security threats in healthcare, which can be mitigated by using HIPAA compliant software. This section will be useful if you’re looking to find the arguments to prove the importance of healthcare data protection.
1. Data theft
Data theft is one of the most serious threats healthcare companies are exposed to. In 2020, in the US alone, 28 cases of data breaches were reported. This costs businesses tremendous amounts of money – according to an IBM Security Report, the cost of data breaches in health in the United States reached $8.64 million in 2020.
As stated in a report by Wandera, 8% of healthcare organizations were at some point affected by malware. It’s usually small hospitals and healthcare centers that become the target of malware attacks since they lack good security infrastructure. In fact, experts say that 85% of small or medium-sized hospitals have no IT security personnel.
3. Cloud jacking (cloud storage injections)
Cloud jacking is the term used to describe cloud storage code injections. As more and more organizations rely on cloud storage to keep their sensitive data, it’s becoming an increasing cybersecurity concern for businesses. In their 2020 cybersecurity report, Trend Micro predicted that cloud jacking attacks will likely come in the form of SQL injections, third-party library injections, and cross-site scripting.
4. IoT device security vulnerabilities
In an interview for Health IT News, Abdul Rahman, CEO of cybersecurity company Fidelis, points out that a lot of IoT devices on the market fail to support an endpoint security agent. This means that they’re especially vulnerable to malicious behaviors and attacks. The consequences can be life-threatening, with devices such as implantable pacemakers or insulin pumps susceptible to an attack. In fact, in 2017, Abbott had to recall over 460,000 pacemakers from the market due to security threats.
5. Lack of internal security standards
Last, but not least, companies may become vulnerable to attacks if they fail to implement and regularly update their internal security measures (if this topic is of interest to you, we reviewed top security risks in healthcare and listed 18 real-life examples). These can include prohibiting employees from working on public wifi, keeping them from working on private devices, all the way through ensuring that they lock their screens when leaving their computers unattended.
It’s time to discuss what you should pay attention to if you want to use HIPAA software.
What should HIPAA compliant software offer?
Now that we’ve covered the threats, here are several things you should tick off your list to ensure your software is safe to use by doctors, medical personnel, and other professionals at your company:
- Data encryption: written communication between the doctor and the patient, such as chat and emails, should be fully encrypted. Make sure that chat history is protected by a password and can’t be brought up by any given user.
- Limit printing options: don’t give doctors and other medical staff the option to print out all types of documents. As printer protocols store caches, they aren’t entirely secure, which means you need to set limitations and decide which data can be printed and which cannot.
- Use biometric authentication: on mobile devices, enable biometric login – it will positively impact both the app security and UX.
- Implement session timeouts: make sure that both your employees and patients have session timeouts if the software detects they’d been inactive for a certain time.
- Control the devices your employees use: while you might need to enable your employees to work remotely, make sure they’re using devices provided or approved by the company – not their private equipment.
- Provide a chat: patients might not have enough data to support video, so offer an option for written communication.
With all of the above in mind, we’re now going to share our top recommendations for ensuring that your company and the software you build or use is HIPAA compliant.
How to be HIPAA compliant – five best practices
1. Consider going mobile-only
Mobile devices are by default more secure than desktop. Encryption is much more advanced on mobile – particularly on iOS devices. If you’re using mobile equipment, here are a few rules to follow:
- Whenever possible, use two-factor authentication. While you do not always have control over the strength of your users’ passwords, you can add another level of security by introducing additional authentication.
- When using email, keep in mind that some modern systems will automatically read your messages. For instance, if you’re arranging a meeting, based on your conversation, the system can automatically create an event in your calendar. Such features could potentially cause data leaks.
- If you’re working with third parties (such as home-use medical devices and cloud storage) – be aware they’re pushing data to the cloud. As mentioned earlier in this article, cloud storage security breaches are becoming a big threat. Whenever choosing a third-party provider, make sure they’re HIPAA compliant.
- Upgrade software on IoMT (Internet of Medical Things) devices, whenever an update becomes available.
- Disable password saving on mobile devices.
2. Use specialist software
It’s highly recommended to use a network auditing software so you can verify whom you’re dealing with on the other end. This way, you’ll be able to establish whether you’re communicating with someone on a public or private network. Also, install software on all company devices that will track whether your antivirus is operating at all times.
3. Disable image caching
Imagine a situation, when photos of a patient’s chest or face are leaked or used by an unauthorized party. This would not only cause distress to your patients but might also lead to serious financial consequences, as you might end up in court. One way of making sure this doesn’t happen is disabling image caching on all devices – both your’s and the patient’s.
4. Disable saving passwords
We can’t stress this enough – do not allow password saving on any company devices.
5. Don’t use public wifi
As mentioned earlier, healthcare companies are a common target of hacker attacks. Public wifi can have poor security levels and can be an easy entry point for unauthorized access – that’s why you should avoid using it at all costs.
How can we help you become HIPAA compliant?
At Freeport Metrics, we have over 10 years of experience in developing healthcare software. We specialize primarily in digital product development for the U.S. market. Over the years, we’ve brought dozens of successful products to life. In our work, we combine business acumen with excellence in UX and technical design. Because we love what we do.
Depending on your project goals, we can help you build a HIPAA compliant HealthTech product from scratch, audit your current solution to ensure it meets the highest security standards, or help you fix any issues keeping you from HIPAA compliance.
Creating HIPAA compliant software – final thoughts
With the digitalization of healthcare solutions and the introduction of IoMT devices, the healthcare sector became even more exposed to data security threats, including data theft, cloud jacking, and malware. HIPAA compliance is the number one step companies should take to ensure that their operational and patient data are safe at all times.
HIPAA compliant software should, among others, use biometric authentication, data encryption, and session timeouts on the patient’s and medical staff’s side. There are several rules you should follow, most importantly, going mobile-only, disabling image caching and password storage, as well as using network auditing and antivirus software.