Facing up to healthcare’s information security challenge

Thailand’s Praram 9 Hospital shares their policies and best practices to ensure information security, amidst the growing threat of cyberattacks and data breaches in healthcare

Healthcare organisations are sitting on a treasure trove of information – from confidential health information, financial information like credit card numbers, personal identity numbers, to intellectual property such as research and innovation. The monetary value of these information makes healthcare providers a prime target for cyber attackers.

Information security thus needs to rise up the priority list for hospital leaders, as it has moved beyond simply avoiding data breaches, to becoming a key aspect of patient safety and reputational trust.

For Thailand’s Praram 9 Hospital, the potential for cyberattacks is very much top of mind. The hospital has embraced digitalisation in its processes and services, with adoption of Electronic Medical Record (EMR) system, telehealth offerings, and testing of remote monitoring devices for patient care, as a way to improve efficiency and increase ownership of health by patients.

Dr Pakinee
Dr. Pakinee Pooprasert

“However, the digitalisation of healthcare infrastructure does not come without risk,” noted Dr. Pakinee Pooprasert, Doctor and Telemedicine Advisory Board Member at Praram 9. “We recognise that digital tools such as the EMR system is one of the cornerstones to the healthcare system, allowing for unprecedented connectivity and productivity. But we remain mindful of the potential opportunities for attacks.”

Cybersecurity policies and best practices

In mitigating the risks of cyberattacks, the hospital adheres closely to Thailand’s laws and regulations, including the Cybersecurity Act, said Dr Pooprasert.

In addition, vigorous endpoint security is set up to prevent file-based malware, as well as detect and block malicious activity from trusted and untrusted applications. Software is constantly updated with next-generation firewalls, with these firewalls installed on both internal and external networks, in addition to secure web and email gateways.

Data loss prevention is also a key aspect of the hospital’s cybersecurity plans. “We treat data backup very meticulously. In order to ensure that important healthcare data are secured, we have both an onsite and offsite backup, where data are stored in a secured cloud and a designated data storage centre,” Dr Pooprasert shared.

The hospital’s IT department plays an important role in constantly monitoring for any security threats, and is equipped with investigation and remediation capabilities to respond. If there are any signs of a possible attack, “we have a recovery plan which outlines the process for identifying attacks in progress, stopping ongoing attacks, bringing affected systems back online as well as recovering lost or damaged data and promptly restoring any compromised systems or applications,” she said.

Even with a comprehensive security programme in place, hospitals can’t let their guard down, as cyber threats evolve rapidly in today’s environment. Praram 9 holds regular risk assessments to analyse existing and potential threat levels, and identify vulnerabilities and ways in which attackers can try to breach the system.

This includes looking over the status of assets, especially those that hold the most value and are most likely to be targeted by hackers.

“We perform regular audits and security assessment on network infrastructure and security, to assess for the age and condition of key hardware, as well as hardware infrastructure, storage infrastructure and authentication methods. Our audits also include analysing the alliance partner services we have to help monitor security, as well as constantly searching for newer partnerships to help enhance security,” Dr Pooprasert elaborated.

For her, the biggest challenge in cybersecurity lies in ensuring every individual staff member practices safe IT measures at all times. To keep staff updated on the latest cybersecurity trends, and remind them to stay alert for potential threats, the hospital has implemented basic cybersecurity training and skills for all employees, and worked in regular reminders via email to ensure that they practise what they’ve learnt.

Information security for paper documentation

With the buzz around cyber and digital threats, it can be easy to overlook the fact that information security also covers data on physical documents.

For hospitals, there remains a need to store certain paper records, either due to government regulations or operational requirements. There is a risk of unauthorised access or theft, if these confidential records are not managed carefully.

Ensuring proper audit trail and access protocol will go a long way. “At Praram 9, paper records are stored in the Medical Records Department, which is a secured physical unit. Only medical staff have access to these records, and each access has to be authorised by a clinician who will sign an approval document prior to access. Further, there is a detailed record with entries on when the medical record is borrowed, by whom and for what purpose,” said Dr Pooprasert.

“For example, outpatient documents can only be taken during each consultation, and will be promptly returned to storage after the session. If patients desire to have the doctor’s notes, they can be granted access, but only with the physician’s approval. Likewise, upon patient discharge, the physical medical records would be taken from the ward and stored securely.”

Besides secure storage, another aspect of print security lies in print output management. The risk here lies in employees, whether intentionally or not, printing confidential information that may be accessed by unauthorised personnel; also, printers store a copy of the data printed, and thus becomes a potential target for hackers.

When asked about Praram 9’s policies in this area, Dr Pooprasert noted that only the primary doctor in charge of the patient’s care is able to print the patient’s information. Clinicians are each given a secured passcode to access information such as laboratory results, investigation results and doctor’s notes and diagnosis, and the authorisation is reanalysed and processed each year.

“Even medical staff in close care with the patient, such as nurses or the ward clerk, will not have access to such information,” she added. “Also, a confidential waste-only bin is placed in every department, and records will be destroyed after every shift.”

No doubt, putting in place these policies and practices will require investments in money, time and effort across the organisation. But with the ever-rising number of attacks on hospital data – the number of hacking incidents in healthcare jumped 42% in 2020, climbing for the fifth straight year – it is high time that information security be regarded as an essential component to patient safety, and given the attention it deserves.