Getting Data Security Right – Healthcare

There are fundamental problems with sensitive information in healthcare … And many of those problems start and end with patient data.

For the most part, healthcare organizations and professionals have always focused on the physical and mental well-being of their patients. A good thing for all of us as patients as that’s what we really want from our healthcare professionals. But today, just focusing on patient health is no longer enough. The problem - Healthcare data has become so valuable that it’s a primary target of criminal hackers. While a credit card with full stats (verification number, name, address) is worth from a few cents to $5 on a black internet site, a fairly complete set of healthcare data is bringing from $20 to $200 (depending on completeness of records set and other variables).

ClickToTweet: How can Healthcare Orgs get Data Security Right? http://bit.ly/1h19VTc pic.twitter.com/798wCPUj8X

This data is so attractive to criminals because of all the uses it can be put to – applying for financial accounts and loans, medical fraud, tax fraud and more. The broad spectrum of uses feeds that value of the data – and that’s what creates the problem.

As custodians of this information, people and organizations in healthcare are now stewards of our financial health as well. This represents a big problem for organizations and professionals that up-till-recently didn’t even have to think about these kinds of problems.   People don’t become doctors, nurses or other healthcare professionals with the idea that they’ll be protecting their patients’ financial health …. And yet their actions can now have a direct effect on it.

So to bet back to the topic – What does it mean to get data security right for healthcare? Well it starts with meeting compliance and regulatory requirements, but it doesn’t end there.

• HIPAA/HITECH: Healthcare organizations have to meet a raft of requirements for securing electronic Personal Health Information (ePHI) records under the US Health Insurance Portability and Accountability Act (HIPAA) as well as Health Information Technology for Economic and Clinical Health Act (HITECH)
• EPCS: The US Drug Enforcement Agency's (DEA) has a set of requirements for protecting Electronic Prescriptions of Controlled Substances (EPCS)
• PCI DSS: Often processing their own credit card charges, healthcare providers also have to ensuring the security of payment transactions as required under the Payment Card Industry Data Security Standard (PCI DSS)
• FDA: The US Food and Drug Administration (FDA) has a set of requirements around ensuring the trustworthiness and reliability of electronic records and signatures.

Each of these compliance requirements has many pieces, but a common theme is to protect data either with encryption and access controls, or with “compensating controls” that provable provide the same protection. In fewer and fewer cases are compensating controls enough. Wasn’t Anthem compliant with HIPAA/HITECH when it was breached for 24 million records? What about the UCLA Medical center for 4 million records?

Getting data protection right, requires not only meeting these compliance requirements but going beyond them to prevent a data breach that could put their patients’ financial lives at risk. If as a healthcare provider your actions result in a breach that then effect in your customers being unable pay their insurance, or meet their other bills, haven’t you negatively affected their health?

I have to say “Yes”.

But to do this “right” you have to do it in a way that allows healthcare professionals to get their work done, to work with other healthcare professionals to support patients health, as well as to keep that data from being compromised on the mass scale that we’ve seen recently.

As much as possible of the work needs to be completely transparent to healthcare professionals … although organizations also need the personnel policies and training programs to cover what can’t be controlled on the back end.

Critical elements are:

• Policies for data use that require protection as the default, and exceptions only by petition
• A clear understanding of where sensitive data lives and what tools and people have access to it (on-going discovery required)
• At the file system and OS level – encryption and access controls for that data with data access information consumable by security analytics systems to identify anomalies
• Within applications, security controls that limit who can see sensitive data linked to roles and need to know (encryption, tokenization, data masking, access controls)
• Intelligent analysis of data access patterns for anomalous behavior that might represent an internal threat or external attack

This combination of awareness of awareness of the location of sensitive data, limits at system and application levels using encryption and other cryptographic technologies linked to access control, access pattern monitoring and education/training immensely lowers the “attack surface” available to hackers and malicious insiders alike. The result is that the vast majority of attacks will be stopped before they begin, and detected quickly once in process. Frankly - an attacker that finds strong defenses in place is going to move on to easier prey. (Remember the old saw about running from the bear … “I don’t have to run faster than the bear, I just have to run faster than you do).

To make this happen, healthcare organizations need a change in priorities from the highest levels – Their boards, management staff and IT organizations have to be re-tasked. IT security isn’t just something that healthcare organizations “kind of need to do”, that have to get it right, or their patients will suffer as a result.