Restoring confidence in the security of health information will take work
A recent study looking at trends and characteristics of healthcare data breaches points to the stark reality that healthcare organizations are losing the battle in protecting information systems from malicious insiders and cybercriminals. A research letter authored by Thomas McCoy, Jr., MD and Roy Perlis, MD, published in the Sept. 25, 2018 issue of JAMA reported on a study of all breaches posted to the online breach portal of the Department of Health and Human Services, Office for Civil Rights between January 2010 and the end of December 2017. The researchers identified over 2,100 incidents that compromised the personal information of over 176 million individuals during the 7-year time frame.1
Between 2014 and 2017 alone, 155 million records were exposed.2 During this period, the most common breach sites had shifted from laptop and paper or film records to network servers, electronic health records, and email. This shift coincided with a transition from theft as the No. 1 breach type, to hacking and unauthorized access. If the past four years have showed us anything, it’s that threats from insiders and cybercriminals for stealing healthcare data are serious and growing.
The following are a few solutions that experts have identified as some of the most effective to help organizations get the best return on their investment of scarce resources of time and money.
Perform a risk analysis
HIPAA, the Promoting Interoperability Program (formerly known as Meaningful Use), and a number of states that have recently added data protection requirements for personally identifiable information require healthcare organizations to conduct formal risk analysis—yet many organizations lack a thorough risk assessment. There are several different frameworks available when conducting a risk assessment. OCR recommends that organizations use a framework that is built around the NIST 800-30 Guide for Conducting Risk Assessments and the NIST Cybersecurity Framework.3 Keys to the effectiveness of the risk assessment is to scope it to include all information technology across the organization that handles electronic-protected health information (e-PHI). Identify what are potential risks that could jeopardize the confidentiality, integrity and availability of protected health information (PHI). To do this, be sure to document what these risks are and determine the likelihood that it could happen. It’s important to remember that the frequency of performing a risk analysis is an ongoing process, in which an organization regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
Use data loss protection solutions
In the modern healthcare ecosystem, it’s all about the data and what can be done with it, which is why Data Loss Prevention (DLP) tools can be a priority to implement. DLP has the capability to control exfiltration of PHI and therefore reduce the risk of breaches. DLP allows IT administrators to identify where sensitive information is within the information enterprise through discovery, where it’s going and how it is being used and who is using it through network management and manage access and storage of data on endpoints, including external destinations like the Cloud. In short, it enhances awareness of what is going on with information, enables better control of those actions, and helps to protect against unauthorized disclosures and loss of data.
Healthcare organizations today have thousands of endpoints and secondary locations where PHI and other sensitive information can and will end up. The overwhelming majority of breaches in which a malicious insider steals PHI involves an endpoint device and DLP as an end-to-end enterprise solution provides the ability to manage them and reduce this risk. Deploying DLP to the endpoint device can restrict actions like saving the data, copying the data, transmitting the data, etc. without disabling overall functionality. So instead of shutting down the USB port on a workstation, IT administrators set rules using DLP to manage what is permitted via that USB port. Organizations can set policies to allow laptops to access PHI, but not save it locally or ensure that encryption be enabled first. DLP is a powerful enterprise level tool capable of enhancing awareness of where sensitive information is located, improving the ability to manage that information and reduce the risk of unauthorized data exfiltration.
Technology to audit and monitor access to PHI
Traditional randomized, manual audits of user access to patient records or rule-based monitoring technologies are not sufficient for modern healthcare organizations that combine many information systems, applications, connections, employees and relationships into an environment that must ensure the confidentiality of protected health information. State-of-the-art monitoring technologies employ behavioral modeling to enable a machine-learning driven approach which combines public information with algorithms to understand every user’s individual patterns of information system usage behavior. This always-improving context allows organizations handling PHI or other sensitive information to find malicious user access patterns that might otherwise remain hidden. It also finds perfectly reasonable explanations to usage patterns that might have otherwise taken hours of investigation.
References
- McCoy TH, Perlis RH. Temporal Trends and Characteristics of Reportable Health Data Breaches, 2010-2017. JAMA. September 2018
- id
- Initiative, J. T. (2012, September 17). Guide for Conducting Risk Assessments. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final