Extensive healthcare data contains enough information to not just apply for credit cards or loans, but it can compromise patients’ financial accounts and generate huge sums from fraudulent medical charges. As a result, healthcare data is at a premium, which does not bode well at a time when data breaches are at an all-time high and organizations are still grasping how to handle these new and improved threats.
In a 2015 blog, ‘When Healthcare Data Gets Exposed it Comes at a Premium,’ I discussed how healthcare data has become one of the most desirable commodities for sale on ‘black market’ sites. That was back in 2015. Today, Modern Healthcare reported that healthcare has an average cost of $363 per exposed record. The average cost of a data breach across all industries is $154.
But despite this clear increase in value, when it comes to data security challenges, hospitals aren’t unique. Data is made up of 1s and 0s – it has no concept if it is patient data, cardholder data or some other type of personally identifiable information. And despite our own efforts to personify data (with our friends, The Data Defense League) – in reality, data has no natural defenses.
So what exactly are the fundamental problems with sensitive information in healthcare? To get a better understanding of existing threats, we released the Healthcare edition of the 2016 Data Threat Report (DTR). Key findings from the report include:
- 96 percent feel vulnerable to data threats
- 63 percent have experienced a past data breach, with nearly one in five indicating a breach in the last year
- At 61 percent, meeting compliance requirements was the top IT security spending priority, with preventing data breaches well behind at 40 percent
- 60 percent increased spending to offset threats to data, and 46 percent increased spending on data-at-rest defenses this year
Simply keeping track of data, how it enters the system and subsequently moves through it can be a huge challenge. It can create vulnerabilities if that challenge isn't adequately met. So where does healthcare go from here? Organizations need to pay more attention to new techniques for preventing attacks as well as detecting potential threats more rapidly and narrowing the window of exposure.
The good news is that it is not all bad. A number of results indicate that healthcare organizations are taking steps in the right direction.
- 60 percent are increasing spending to protect sensitive data
- 46 percent, more than any other vertical, plan to invest in data-at-rest defenses this year
- 46 percent are looking to implement data security to follow industry best practices
- Many are planning to implement ‘newer’ security tools that are more effective at protecting data even when other defenses have been compromised. These include cloud security gateways (39 percent), Security Event and Information Management (SIEM) systems (36 percent), tokenization (35 percent) and data access monitoring (34 percent)
With the boom in black market sales, the potential for financial harm to patients’ privacy and security from inadequately protected data is growing fast. Yet compliance requirements that can’t completely safeguard data continue to be the driver and understandably so. Healthcare facilities are faced with a veritable alphabet soup of federal, state and local compliance regulations, rules and amendments continue to be phased into mandates, which are updated regularly. Organizations must keep up or face stiff penalties.
For healthcare organizations, they now have to prioritize the safety of patient data and privacy as part of patient care, and realize that meeting compliance requirements is only a start. Equally important is security within the organization. With more people accessing the network from more locations, segmentation of the network and user-based access controls are only the tip of the iceberg.
Don’t worry, we aren’t leaving you high and dry. We’ve developed a list of tips and tricks to remain secure: Critical elements include:
- Policies for data use that require protection as the default, and exceptions only by petition
- A clear understanding of where sensitive data lies and what tools and people have access to it
- At the file system and OS level – encryption and access controls with data access information to identify anomalies
- Within applications, security controls that limit who can see sensitive data linked to roles and need to know (encryption, tokenization, data masking, access controls)
- Intelligent analysis of data access patterns for anomalous behavior that might represent an internal threat or external attack
Security solutions must be meaningfully addressed by every healthcare organization from the smallest, most rural clinic to the largest healthcare systems. With the right security, patients can concentrate on getting better and hospitals can concentrate on their true mission – patients – rather than worrying about if their data is safe.
To learn more about how healthcare organizations can protect sensitive data, feel free to leave a comment below or tweet me @SocialTIS.