Due to its sensitivity and high value, healthcare data is the target of cyberattacks resulting in the healthcare industry being highly regulated through specialized legislation such as the Health Insurance Portability and Accountability Act (HIPAA). Despite this, healthcare has had the highest average total data breach costs of any industry for the 13th year in a row. According to IBM and the Ponemon Institute’s Cost of a Data Breach Report 2023, healthcare data breach costs have increased 53.3% over the last three years and are reported to have the most expensive data breaches, at an average cost of $10.93 million.
Healthcare services collect a wealth of Protected Health Information (PHI) which falls under the incidence of HIPAA. PHI is information that relates to an individual’s past, present, or future physical or mental health and the provision of healthcare to an individual. It also includes Personally Identifiable Information (PII) such as name, address, or Social Security number that, by themselves or grouped with other identifiers, can reveal a person’s identity, medical history, or other personal data. PII is also protected under more general data protection legislation, such as the EU’s General Data Protection Regulation (GDPR).
To safeguard medical records and comply with regulations, healthcare organizations must build a comprehensive data security strategy to ensure compliance and avoid fines and other costs associated with data breaches. Effective data security directly impacts patient care, as it ensures the confidentiality and integrity of patient health information. Let’s take a closer look at how they can achieve this.
1. Deal with internal threats
In the healthcare industry, addressing internal threats is as crucial as external ones for maintaining patient privacy. This includes vigilance in handling patient records to prevent any potential breaches. Approximately 35% of data breaches in the healthcare industry are attributable to internal threats. This is problematic because, by law, most health data is not allowed to leave an organization’s premises without being encrypted or transmitted through secure, authorized channels. Regular risk assessments can help in identifying weak points in handling patient data. Healthcare services can turn to Data Loss Prevention (DLP) solutions to control the flow of sensitive health data in and out of their networks.
Designed to protect sensitive data directly, DLP tools use predefined profiles and customized definitions to track and control sensitive data falling under the incidence of laws such as HIPAA and GDPR across company networks. With powerful content inspection and contextual scanning tools, DLP solutions can identify health data in files and the body of emails before they are sent, blocking their transfer through unauthorized channels.
As we embrace the new normal of remote work in the healthcare industry, the importance of robust data security measures, especially concerning HIPAA compliance, cannot be overstated. Upgrading to a comprehensive endpoint DLP, such as Endpoint Protector by CoSoSys, can assist healthcare organizations in securing data. All activities related to electronic Protected Health Information (ePHI) must be meticulously tracked and logged. This includes access to, modification of, and communication with patient data. Such audit trails are vital for detecting and investigating unauthorized access or other HIPAA violations. They enable healthcare providers and organizations to pinpoint any suspicious activities and take prompt action to mitigate potential insider risks.
All employees in healthcare must be equipped with the necessary tools and knowledge to effectively monitor sensitive healthcare information. This might involve using specialized software that provides real-time alerts and reports on data access and utilization. These systems should also be capable of identifying potential phishing attempts or other cybersecurity threats that could lead to data breaches.
2. Restrict access to data
Another way health data can become vulnerable and exposed to theft is when it is stored locally on work computers. This includes electronic health records (EHRs), which are a critical component of healthcare information systems. Employees often access, save, and download sensitive information as they perform their tasks and can forget to delete these files when they are no longer needed. This can greatly increase the risk of losing this data in phishing cyberattacks since local files are easily accessible for malware such as trojans and ransomware. This poses a significant risk to data security and compliance efforts as laws such as HIPAA stress the need to limit data access on a need-to-know basis. Restricting access to data is pivotal in preventing unauthorized access to sensitive medical information.
DLP solutions can scan for sensitive data stored locally on the entire company network, and when it is found in unauthorized locations, admins can take remediation actions such as deletion or encryption. Healthcare organizations can ensure that no employee continues to have access to sensitive information they no longer need to perform their duties. By restricting access to sensitive data, healthcare organizations can reduce the digital trail of health records and ensure they are only stored where needed.
Healthcare organizations implementing Endpoint Protector’s eDiscovery feature can quickly scan macOS, Windows, and Linux endpoints and easily take remediation actions such as encrypting or deleting data. Administrators can choose to perform a clean scan to cover all repositories or an incremental scan to start scanning from where the last scan stopped. Scans can be performed using flexible policies based on whitelists and blacklists.
3. Control removable devices
Although the internet is gaining traction as the data transfer method of choice, many employees still use removable devices such as USBs or external hard drives to copy large amounts of information or big files. Addressing vulnerabilities associated with these devices is crucial in protecting healthcare information. These devices can easily be lost or stolen due to their size. Worst still, in recent years, USB drives, in particular, have also become popular tools for malware attacks. This is a crucial step in safeguarding against cybercriminals who may target these devices.
Healthcare services wishing to address these risks can use DLP solutions to monitor and control the use of peripheral and USB ports as well as Bluetooth connections. They can choose to block their use entirely or limit it to approved devices. In this way, healthcare services can track which employee is using which device at what time, making it easy to spot suspicious activity on the network and potential data theft. Some solutions like Endpoint Protector also offer granular policies, meaning that companies can choose to apply different levels of restrictions based on groups, departments, devices, or individuals.
To ensure data security, healthcare organizations can also take an extra step and use Endpoint Protector’s Enforced Encryption feature. In this way, they can ensure that any data copied onto a USB drive is automatically encrypted and access to it is restricted to those with a decryption key. If the USB drive is lost or stolen, the administrator can remotely wipe the device and push updates and messages to users.
Frequently Asked Questions
Tools like Data Loss Prevention (DLP) solutions allow healthcare providers to define sensitive data and then monitor and restrict its use and transfer through network-wide policies. Some, like Endpoint Protector, even come with predefined policies for legislation like HIPAA and GDPR, ensuring that the data protected is in line with compliance needs. Through their data discovery features, DLP solutions help organizations find sensitive data wherever it is stored on the network and allow for remediation actions such as encryption or deletion when it is found in unauthorized locations.
One of the biggest threats to healthcare data security are insiders. Whether through negligence, malicious intentions, or their susceptibility to phishing and social engineering attacks, employees are the root cause of 33% of all data breaches. The potential risks of internal threats are numerous, including financial fraud, data corruption, theft of valuable information, and malware installation. These incidents can lead to data breaches that expose sensitive information such as Personally Identifiable Information (PII) or Intellectual Property (IP) and result in heavy fines. Read more about internal threats.
Health data, due to its sensitive nature, has always been considered a special category of data and invariably falls under the jurisdiction of data protection regulations. Under the EU’s new General Data Protection Regulation (GDPR), it is explicitly classed as a special category of personal data under article 9, which requires the strict application of the regulation’s requirements. In the US, health data falls under the incidence of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). These two interconnected acts together guarantee its protection.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.