Data security is a challenge facing every organization today. Healthcare in particular is highly susceptible due to the attractive data in their systems. It’s a cybercriminals equivalent of digital treasure: personal information (PII), protected healthcare data (PHI) and payment card data. The other risk factor is the amount of digital hands this data passes through from practitioners to vendors. It is important to understand the full impact data security and privacy can have on a healthcare organization, and how to best protect PHI and other sensitive data.
Healthcare Data Breaches Tripled in 2018
Although the healthcare industry has made improvements in cybersecurity and increased security budgets, breaches reached an all-time high in 2018. According to recent reports:
- 2018 saw a steady increase in the number of impacted records from the 1.2 million reported in the first quarter, to the 6.3 million reported in fourth quarter.
- Approximately 11.3 million patient records were compromised by hacking, nearly four times more than the 3.4 million reported in 2017.
- Insiders were responsible for about 28 percent of breaches last year, breaching 2.8 million patient records in 139 incidents.
- There was a substantial increase in breached patient records from 2017, with nearly four healthcare employees breaching patient privacy per every 1,000 employees.
- Significantly more patient records were breached by insider-error than by insiders with malicious intent.
- On average, it took a healthcare organization 255 days to discover a breach caused by an insider.
- Insiders are more likely to breach privacy after an initial violation: 51 percent of privacy violations were caused by repeat offenders.
PHI Breach Repercussions for Healthcare Organizations
Outside threats by far had the , but what’s more shocking is that 28% of breaches in healthcare are caused by insiders – employees and third-party vendors. And not necessarily malicious insiders, negligence was the key factor in many of these breaches.
Whether caused by a bad actor or a negligent employee healthcare breaches come with steep costs, coming in at $408 per record in 2018, the highest of any industry for the eighth straight year. You also have to factor in the hidden expenses that are hard to put a number to including reputational damage, customer turnover and operational costs.
Regaining Control of Your PHI with Data-Centric Security
The HIPPA Security Rule outlines a number of measures and protections organizations need to have in place including incident response plans, data encryption utilization, employee training, and information access management. It also outlines several Technical Safeguards. This is where data-centric security solutions can be of great value – preventing threats from insider data misuse, unauthorised access and sharing, and human error covered in these technical safeguards.
- “Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).”
You can use permissions to control access to the data repository or application, but with modern collaboration it’s no longer enough. You need to look at data itself on a continuous basis to account for how information and its associated access attributes and user context change over time, then adjust its security accordingly. For example, a document may not start out containing PHI but details may be added to it along that way that change its classification. You also need to assess the risk profile associated with the data and its use cases, then consider the security that should be applied in each scenario.Data-centric security provides a mechanism to evaluate and secure content at rest and as it moves through the collaboration process – both inside and outside of the organization via collaboration tools, email and enterprise social. Security is applied to the file to dynamically adjust its access security and in-transit protections based on real-time comparison of user context and file content. It ensures only authorized person(s) can access content as it evolves and changes hands.
- “Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.”
First you need to know where you PHI is stored. A data-centric solution can first discover where PHI is in your data treasure troves. It can also track and monitor the movement of documents with PHI and other sensitive data, including who views, prints, and emails the documents to provide a full audit trail in case of a breach.
- “Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.”
A good data-centric solution will allow you to prevent undesired actions from occurring including preventing document from being edited, published, downloaded, shared or copied to the desktop. It should also allow for workflows that automatically mitigate risk by flagging violations, notifying key stakeholders of undesired activity and triggering corrective actions and workflows.
- “Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network access to e-PHI that is being transmitted over an electronic network.”
With a data–centric solution you can ensure that only approved users can access and share your business content, and control how it should be shared based on its sensitivity. For example, you can prevent the emailing of PHI or automatically encrypt a file containing PHI that is being emailed to an authorized party.
Protect Your PHI with an Intelligent Solution
While collaboration of PHI comes with increased risk, there are ways to effectively put controls in place to secure sharing and prevent misuse. Traditional location-based access controls that simply ‘allow’ or ‘do not allow’ access to information no longer provide adequate security for how we collaborate in the modern workplace. Equally, securing your PHI by beefing up perimeter security alone is not enough to protect against from external hackers using insider credentials, and is not designed to address insider threats. Adopting a data-centric approach that utilizes both file content and user context to determine access and apply additional security based on the use scenario will best protect your PHI and sensitive data. Data-centric solutions provide the granular level of security and lifecycle auditing required to meet the Technical Safeguards in the HIPPA Security Rule.