Medical laboratories and imaging centers collect, process, and store data that is considered highly sensitive. As such, they are legally required to securely store and transmit patient data under laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the EU General Data Protection Regulation (GDPR). However, with the increasing connectivity of information systems, laboratory endpoints, and instruments to the internet, they often struggle to keep up with the demands to continuously protect and secure sensitive information.
The broader healthcare industry, of which both medical laboratories and imaging centers are a part, has continuously averaged the highest total data breach costs of any industry over the last eleven years, according to the IBM and Ponemon Institute’s Cost of a Data Breach Report 2021. In 2021, it reached a staggering $9.23 million/data breach, a 29.5% increase from 2020.
However, the losses are not just financial. For example, clinical labs store large amounts of sensitive patient data whose theft or loss can significantly impact treatment outcomes and patient privacy. Data breaches in research laboratories, meanwhile, can lead to delays in the development of new treatments and even to the theft of intellectual property.
Because of all this, medical labs and imaging centers need to address data security to ensure compliance with data protection laws and avoid the massive costs associated with data breaches in the healthcare industry. Here are our tips for maintaining data security.
1. Control the use of removable devices
Oftentimes, even in controlled environments, computers will not have access to the internet, but they will have USB and peripheral ports through which users can connect removable devices. Removable devices such as USBs or external hard drives are still used by employees to copy large amounts of information or big files. However, they pose a number of risks to data security. They can be easily lost or stolen due to their size and portability. They have also become popular tools for malware attacks.
Medical labs and imaging centers can address this vulnerability by implementing Data Loss Prevention (DLP) solutions with device control features. DLP tools allow organizations to monitor and control the use of peripheral and USB ports as well as Bluetooth connections. In this way, medical labs and imaging centers can block the use of removable devices or track and limit their use to trusted devices.
DLP solutions make it easy for organizations to spot suspicious activity on their network, identifying which employees are using removable devices at what time. Some take things one step further by offering granular policies that allow medical labs and imaging centers to choose different levels of restrictions based on groups, departments, devices, or individuals.
2. Address internal threats
27% of data breaches in the healthcare industry are caused by human error, one of the highest percentages across all industries. Cybercriminals also target employees directly through phishing and social engineering attacks, and some employees themselves can become threats when they turn malicious and attempt to exfiltrate data.
To address internal threats, medical labs and imaging centers can turn to DLP solutions that allow them to identify, monitor, and control sensitive data. DLP tools like Endpoint Protector use predefined profiles and customized definitions to track and control sensitive data falling under the incidence of laws such as HIPAA and GDPR across company networks.
With powerful content inspection and contextual scanning tools, DLP solutions can identify sensitive data in files and the body of emails before they are sent, blocking their transfer through insecure channels such as messaging apps, file-sharing websites, and cloud storage services. They can also prevent sensitive data from being printed and copy-pasted.
3. Restrict access to data
Sensitive health can also be exposed to theft and loss when stored locally on work computers. This is another form of employee negligence: they often access, save and download sensitive data as they perform their duties and then forget to delete it when it’s no longer needed. This can become a significant risk to data security, and compliance efforts as laws such as HIPAA emphasize the need to limit access to sensitive patient information to a need-to-know basis.
Medical labs and imaging centers can use DLP solutions to search for sensitive data stored locally on their entire networks. When found in unauthorized locations, they can take remediation actions such as deletion or encryption. In this way, they ensure that only employees that need to work with sensitive data have access to it.
Frequently Asked Questions
Designed to protect sensitive data rather than the systems where the data is stored, Data Loss Prevention (DLP) solutions offer flexible, customizable policies that allow companies to control and monitor healthcare data within and outside of the work environment. Most health data is forbidden by law from leaving an organization's premises without being encrypted or transmitted to secure, authorized channels. This ties into the need to limit data access to a need-to-know basis. Employees may be tempted to use third-party unauthorized apps and services such as messaging applications and personal emails to perform their duties quicker. By using powerful contextual scanning and content inspection tools and predefined policies, DLP solutions identify health data in files and the body of emails before they are sent, blocking their transfer through these unauthorized channels. Read more.
The General Data Protection Regulation (GDPR) recognizes data concerning health as a special category of data and provides a definition for it for the purpose of data protection. According to GDPR Article 4 (15), health data is personal information related to a natural person's physical or mental health, including the provision of health care services, which reveal information about their health status. As a special category of data, health data requires higher protection, as using such sensitive data may have a significant adverse impact on data subjects. Read more about GDPR.
The Patient Data Protection Act or Patientendaten-Schutz-Gesetz (PDSG) is a new law passed by Germany's Federal Parliament, the Bundestag, on 3 July 2020. It entered into force less than four months later, on 20 October 2020. The PDSG is part of a push for the digitalization of the German healthcare system. It introduces a number of innovative digital applications and requirements for the protection of patient information stored in an electronic format. The PDSG applies to all healthcare institutions, including hospitals, doctors, health insurance providers, and pharmacies using services, applications, and components of the German healthcare system's telematics infrastructure to process patient information. Read more about PDSG.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.