Particularly in crisis situations like the current pandemic of 2019 novel coronavirus (COVID-19), rapid response to incidents and the fast-tracking of clinical tests and medical research require huge movements of information -- much of it, of a highly sensitive and / or personal nature.
With the use of cloud-based infrastructures and mobile apps for data transfer now more widespread than ever due to COVID-19 management lockdown protocols and movement restrictions, immense volumes of personal health information and other sensitive data are travelling over routes that also offer inviting targets for hackers, identity thieves, and cyber criminals.
So it’s more important than ever to protect highly sensitive personal data such as medical records, appointments, or medical advice, in situations where people use apps which send that information to or from the cloud.
In this article, we’ve assembled a comprehensive set of recommendations for doing just that. Many of the health care specific insights contained in these guidelines stem from an advisory published by HealthIT.gov, a US web site dedicated to privacy and data protection in the health and life science industries.
Passwords And Authentication
As the traditional first line of defence for users looking to get into subscription-based web accounts and protected devices, passwords need to be as strong as possible. This typically means combinations of eight characters or more, mixing numbers, upper and lowercase letters, and keyboard symbols.
These kinds of combinations are (and ideally should be) difficult for even the password owner to remember offhand, and there’s a thriving market in password generators and password management apps to assist users in this regard.
Authentication may apply at a number of levels. User authentication can provide gateways for access to individual devices and apps, or serve to identify authorised users of an information management system.
For devices, common authentication methods include passwords, PINs (Personal Identification Numbers), visual or audible biometrics using camera or microphone, other biometrics such as fingerprint scanning, and pattern gesture recognition.
A time-out or automatic logoff may be set for each device, which automatically locks it after a set period of inactivity, and requires a successful authentication procedure to regain access to the device. There may also be settings that can restrict administrative actions on the device (such as uploading information or downloading software) to the authorised user.
For devices with a lockscreen notification display, it’s also a good idea to disable SMS (Short Message Service) previews, which can make sensitive information clearly visible to casual observers.
Device authentication may be implemented remotely using attestation, a mechanism that allows both the sender of a communication or piece of data and its recipient to authenticate each other.
Using attestation, health care information administrators can impose security policies that limit connections only to parties that agree to abide by their rules. Attestation keys and their associated digital certificates also help to minimise the risk of remote activities being tracked by external parties.
Information stored locally on a device and in a data management system should be encrypted, to render it unreadable to any external observer who doesn’t have the required decryption key.
For health data, using an encryption process consistent with FIPS 140-2 [PDF - 1.4 MB] can help organisations meet regulatory compliance needs such as the HHS OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorised Individuals.
In cases where it’s necessary to transmit sensitive health data in text messages, secure messaging systems employing end-to-end encryption are advised, in preference to standard SMS.
Mobile Device Management (MDM)
Health care organisations whose employees routinely use mobile devices for communication and data handling should have a comprehensive Mobile Device Management (MDM) system in place. This should enable administrators to remotely monitor and manage registered devices on the system.
Features to remotely disable or wipe these devices are of particular value in safeguarding sensitive information. If a mobile device is lost or stolen for example, these tools enable system administrators to permanently delete all data stored on the device, or to securely lock any device whose owner stands a reasonable chance of actually retrieving it.
Remote wiping and disabling tools are also an option for individual users, who can configure these features to enhance their personal device security. They are often included as part of the suite of tools contained within mobile antivirus or internet security apps.
As a precaution, it’s advisable for users to regularly back up the information on their devices to a secure location, and make sure that it’s password-protected and / or encrypted.
Security Software And Firewalls
Individuals and organisations are advised to install and regularly update a comprehensive suite of security software on all devices and information management systems.
These should provide real-time monitoring and protection against malicious software (malware), viruses, exploits, and threats such as ransomware. Tools are available both for system-wide and individual device deployments.
System administrators should routinely deploy firewalls, intrusion detection / prevention tools, and best practices for safeguarding network perimeters and data traffic.
Personal firewall apps are available for individual devices, and can guard against unauthorised data connections by intercepting incoming and outgoing connection attempts, and blocking or permitting them based on a set of pre-defined rules
Secure Data Transfer
Unsecured public Wi-Fi connections are a continuous threat both to individual privacy and the transmission of sensitive health data. Such connections should never be used without secure encryption and / or anonymisation.
Secure Wi-Fi connections will use data encryption, and require password access or some other form of user authentication before accessing the internet. Anonymity may be provided through a Virtual Private Network (VPN) connection, which not only delivers protection via an encrypted tunnel around the user, but can also mask the individual’s location and IP address.
Finally, organisations and individuals should take steps to protect their physical infrastructure, and personal devices.
For health institutions, security protections and access control measures should be deployed at all facilities, with options including gates, physical barriers, security personnel, and staff and visitor management systems.
A close eye and physical proximity should be maintained at all times, for mobile devices, and other sensitive equipment. Lockscreens and secure methods for authenticating device owners should be employed on the road, with tools or protocols in place for the management of lost or stolen devices.
If devices aren’t actually in their owner’s possession, they should be physically secured (locked in a protected cabinet, etc.) to safeguard sensitive health information or personal data.
If you need the highest-quality content for your business’s lead generation, nurturing and sales strategies, markITwrite has a dedicated team of professional writers, designers, and social media marketing experts to put their talent to work for your business.