Protected health information which includes personally identifiable information (PII) such as social security numbers, names, and addresses, but also medical records, recipes, and treatments, is considered highly sensitive and, as a consequence, has been heavily regulated for years. And while medical devices and equipment manufacturers are not traditionally considered healthcare providers, they often collect and process sensitive health data when they sell their products both directly to patients and to healthcare organizations such as hospitals.
In the US, the Health Insurance Portability and Accountability Act (HIPAA) which governs data protection in the healthcare industry, states that if a medical device manufacturer creates devices for covered entities, the device design must support sensitive information protection.
Healthcare organizations and providers are required to create policies to protect patient information, limit health data access and achieve HIPAA compliance. They are responsible for data protection and applying security standards among their business associates. As such, they require medical devices and equipment manufacturers to meet HIPAA regulations to support their own compliance efforts. Therefore, medical devices and equipment must incorporate safeguards to ensure the security of healthcare data from data breaches and cyberattacks.
In Europe, personal data is protected under the EU’s General Data Protection Regulation (GDPR). Medical data and patient records are categorized as sensitive and need a higher level of protection than personal information. In some countries, GDPR is supplemented with health sector-specific legislation such as Germany’s Patient Data Protection Act (PDSG) which concerns the introduction of new technologies into the German healthcare system and the protection of electronic health records. Noncompliance with these laws brings with it heavy fines and reputational damage.
But what are some of the vulnerabilities and security issues the medical devices and equipment industry faces when it comes to data privacy, and how can they address them? Let’s take a closer look.
Protect sensitive data at rest and on the move
Medical devices and equipment companies need to protect the personal information they collect from customers, patients, and employees but also protected health information (PHI) that falls under the incidence of laws such as HIPAA and PDSG. While security measures such as implementing antivirus software and firewalls are essential to guard against hackers, malware, and ransomware attacks, companies must also ensure that personal and healthcare information is not lost or stolen through employees’ neglect or malicious intent.
To prevent sensitive data from being transferred or stored locally on work computers, companies can turn to Data Loss Prevention (DLP) solutions. Organizations can define sensitive data based on predefined profiles for PII and intellectual property or data protection laws such as GDPR and HIPAA to apply policies that identify, monitor, and control the movements of sensitive data.
Through content inspection and contextual scanning, companies can track the movement of hundreds of file types that contain data defined as sensitive, log any attempts to transfer it, and block it from being uploaded or sent through insecure channels such as messaging apps, personal email addresses or file-sharing websites.
Some DLP solutions such as Endpoint Protector also come with eDiscovery features that allow companies to search work computer hard drives for files containing sensitive data. When it is found in unsafe locations, admins can delete or encrypt it to prevent unauthorized data access.
Secure data during employee site visits
An issue particular to the medical devices and equipment industry is the need for employees to conduct site visits. This is important for assessments for future contracts, checking the status of current contracts, or providing technical support to customers. When employees perform such visits, they will often take work devices with them to access potentially sensitive company information. This poses a clear data security risk.
To prevent any potential data loss or theft when work computers are taken out of the security of the company network, organizations should implement DLP solutions directly on the endpoint. DLP solutions can then continue to enforce policies regardless of whether a device is connected to the company network or the internet. In this way, organizations can ensure that data protection is uninterrupted.
Protect data on all operating systems
Windows is the operating system of choice in the medical device and equipment industry. Therefore, companies should ensure that any data protection software they use, whether antivirus or DLP, offers zero-day support for any new Windows release. Potential compatibility issues can severely undermine data protection efforts and lead to the need to purchase other compatible products, impacting cost efficiency.
The medical device and equipment industry also uses specialized versions of operating systems such as Windows Embedded. Devices using them can also be a source of data loss which is why companies must choose products that are compatible with a wide range of Windows versions, not just the standard most recent one.
Companies running a multi-OS environment should also look for cross-platform solutions that offer feature parity between all operating systems, ensuring that regardless of whether a computer is running on Windows, macOS, or Linux, they will have the same level of protection. Cross-platform solutions are also easier to manage for administrators as all devices running on all operating systems can then be managed through a single interface.
Educate employees
The human factor is often the weakest link in a cybersecurity strategy. Employees can be targeted directly by cybercriminals through phishing and social engineering. In this way, employees can easily compromise network security by clicking on infected links or opening attachments that contain malware. They can also be tricked into revealing work credentials.
While introducing access control policies and multi-factor authentication can help prevent such security breaches and protect patient privacy, training can also have a beneficial effect. By educating employees on how to identify phishing emails and what steps they need to take when they receive them, companies can raise awareness and reduce the number of security incidents.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.