Most healthcare organizations are literally one data breach away from serious repercussions if sensitive information such as medical files, medical payment transactions or any confidential data is compromised or stolen. Until now, bulk encryption, combined with firewalls, was the most effective solution for protecting data and other informational assets against internal and external threats. But encryption alone is not enough. To compound the problem, many of the popular file sharing software programs and services currently in use by healthcare organizations and medical practitioners are not HIPAA compliant.
The need to securely share HIPAA categorized information in real-time has also precipitated a tremendous fear of what a data breach can do to an organization. The healthcare industry must comply with standards for protection of Personally Identifiable Information as well as HIPAA data. Taking a short cut and using a non-compliant system could be a costly violation. Technology is available today that provides significant aid in this area, including solutions that provide not only for HIPAA but PCI Level 1 DSS Certification as well.
Cost of a Healthcare Data Breach
As we have learned when cyberattackers breached the servers of the United States' second-largest health insurer, Anthem, and stole the records of tens of millions of individuals, cybercrime is "big business." Cybercriminals are working around the clock to create and deploy new threats as fast as companies can react to them. This non-stop hacking and theft of intellectual property is becoming more prevalent and costly. Unfortunately, while threats are on an upswing, it has been reported that corporate spending across all industries, not just healthcare, on cyber-protection has decreased. According to the "Global State of Information Security Survey 2015" conducted by PricewaterhouseCoopers, respondents in 2014 reported that the number of detected incidents soared to a total of 42.8 million, or a 48% leap over 2013, with financial losses increasing 34% over 2013. Security spending actually declined last year, reversing a three-year trend. The average information security budget dipped to $4.1 million in 2014, down 4 percent from the $4.3 million average spend in 2013. In order to maximize the chances of repelling an attack, it is incumbent upon the healthcare industry to focus on staying ahead of the curve.
Because a data breach can be so devastating, all functional areas within a company must be intimately involved. Compliance with legal and regulatory requirements along with their accompanying fines is one thing. Loss of credibility, loss of trust and destruction of a medical organization's brand are other potential repercussions that reach far beyond any one department. According to Ponemon Institute's Benchmark Study on Patient Privacy & Data Security, healthcare organizations face an uphill battle in their efforts to stop data breaches. Ninety-four percent of healthcare organizations surveyed suffered at least one data breach during the past two years; 45 percent of organizations experienced more than five data breaches each during this same period. Data breaches are an ongoing operational risk. Based on the experience of the 80 healthcare organizations participating in this research, data breaches could be costing the U.S. healthcare industry an average of $7 billion annually.
The leading causes of data breaches and compromised medical records were lost devices, employee mistakes, third-party carelessness, and criminal attacks. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices—such as mammogram imaging and insulin pumps—which hold patients' protected health information (PHI). Overall, the research indicates that patients and their PHI are at increased risk for medical identity theft. Risks to patient privacy are expected to increase, especially as mobile and cloud technology become pervasive in healthcare.
As organizations begin to think about protecting patient data, they need to identify the common avenues of how the data is exposed. Here are four areas a healthcare organization's data may be exposed and how to take protective steps.
1.) Don't overlook internal threats
The people trusted most may be misappropriating sensitive data for their personal gain. Organizations face the challenging task of balancing openness and trust with privacy and protection. A data breach could be one USB drive or misplaced laptop away from occurring. Ensure that part of the onboarding process for new hires includes detailed information on the company's security policies, along with the potential repercussions for violating them. Most just sign the obligatory compliance form and forget. Consider having reminders a regular part of annual performance reviews.
The end point is where data is often unwittingly lost. Data loss often occurs when information is moved off endpoint workstations by USB or flash drives by personnel while working from remote offices. Implementing a way to lock down this information by mobile users is imperative.
2.) Compliance requirements must be a top priority for Chief Information Officers and Chief Security Officers
Corporate officers and organization leaders need to realize that all networks are at risk and represent immeasurable amounts of liability to their organization. Compliance requirements vary significantly according to industry type as well as sensitive data type. The alphabet soup of regulations such as PCI, PII, HIPAA, SOC I, II, and III as well as FISMA are just a few examples.
The HIPAA Security Rules require healthcare organizations to adopt the appropriate safeguards to protect the confidentiality, integrity and availability of patients' protected health information. The best way to ensure strict adherence to correct protocols is to bring in experts in each area to do an honest risk assessment.
3.) Keep Abreast of New Technology Advances
Be continually on the lookout for innovative technology which can help secure and protect sensitive data. Traditional network security defenses, standard encryption and firewalls are commonly used techniques that may not be adequate to combat sophisticated threats.
One of the biggest mistakes organizations make with securing their sites is using encryption techniques that are obsolete and expose their information to hackers and data breaches. Bulk encryption has been providing what many believed to be a safe and effective method for protecting data from being compromised and or stolen. It is apparent that today utilizing solely encryption type protection is quickly becoming obsolete. Bulk encryption technology is a method in which large amounts of data are encrypted all together. The quantity and size of the data being protected simultaneously tends to cause long delays and extended exceedingly slow response times. It also opens the data to "Total Breach" as when someone is in they have access to the "Bulk" of the data.
New forms of MicroEncryption technology that uses MicroTokenization to encrypt each file individually down to the byte can prevent the mass data breaches that have made headlines almost daily.
4.) Take a good hard look at email security protocols
Considering the amount of confidential information transmitted by email, all email communications must be locked down with platforms that do more than encrypt the transmission. Most encrypted email systems are only designed to protect data in transit and do little or nothing to protect email data that is at rest.
Many medical professionals and staff use tools like Gmail, Yahoo! and MSN to communicate with patients and external partners. Unfortunately these communications channels are not encrypted and can result in patient data exposure.
Once an email is sent, sensitive data remains open and unencrypted on individual devices that receive the email. Once the receiving party receives and opens an encrypted communication, the data is then open, unencrypted and available for exploitation.
The rash of data breaches and hacks within the healthcare industry has delivered a wake-up call and exposed how vulnerable any organization is to losing control of highly sensitive internal information. Adhering to some precautions can keep your organization from being hacked and producing the wrong kind of headlines.
Steven R. Russo is Executive Vice President of CertainSafe, an award-winning developer of ultra-secure file sharing and messaging platform. Its MicroEncryption technology is being used by 10 states to protect data for their healthcare exchanges. Learn more at www.certainsafe.com.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.