Section 13402(e)(4) of the HITECH Act requires that the United States Department of Health and Human Services (HHS) Secretary publish a list of breaches of unsecured protected health information (PHI) affecting 500 or more individuals. The list posted by HHS shows that data belonging to more than 120 million people has been compromised in over a thousand separate breaches at organizations handling protected health data since 2009.
This is a staggering one third of the U.S. population and does not include incidents involving less than 500 individuals, like the recently announced Backus Hospital data breach of 360 patients.
According to Glenn Stadnick, East Region Compliance Manager for Hartford Healthcare, the Backus Hospital incident involved an employee taking patient records home to work on them since August of 2014. Compromised information may have included names, medical record numbers, date of treatments, diagnosis and treatment information.
In June of 2015, the Montefiore Health Systems data breach exposed information for more than 10,000 patients. In this incidence, an employee accessed names, addresses, dates of birth, social security numbers, next of kin information and health insurance details. Information was used to purchase clothing and other merchandise from some of New York’s finest department stores.
Healthcare providers already have to comply with government rules on protecting patient privacy, including HIPAA, which are enforced by HHS and various data security laws put in place by individual states. So with all the data security measures in place, why is this data still being compromised?
Cyber security and privacy advocates agree that the industry and the government still aren’t doing enough to protect consumers. HIPAA requires security be addressed, but it does not prescribe how. Traditionally, most organizations use a perimeter-based approach to security. They frequently rely on older systems and some have not invested in cybersecurity to match the threats they face in today’s connected world.
Confidential/sensitive data is not static, content is in constant motion, traversing resources and perimeters. Sensitive documents seldom reside on a single device. People download information from secured databases into spreadsheets and send them throughout an organization as they do their daily work. They create reports and save them as PDFs. They copy files to servers, put them in document repositories and print them for review or distribution. They email them outside an organization or store them in cloud-based services, such as Dropbox.
Today, there is a need to implement security that goes beyond a perimeter based approach. Healthcare organizations need to control who has access to protected health information and implement dynamic security policies to proactively manage how information is used or potentially misused Most importantly, they need a method to disable confidential information with the click of a button, regardless of its location.
More and more class-action lawsuits are being filed against those that have failed to protect health information properly, pointing to an interesting trend. Healthcare organizations need to look beyond data at rest and data in motion. Experts suggest that a persistent data-centric security approach is the best way to address today’s security challenges of our connected world.