Today’s medical care is delivered by connecting patients, doctors, nurses, pharmacists, technicians, administrators and accountants with electronic health records (EHR), connected medical devices and insurance companies. Providers are connecting to Health Information Exchanges (HIE) and implementing Electronic Medical Records (EMR) to improve patient outcomes and lower costs, and healthcare organizations are increasingly implementing more connected devices.
According to the recent Websense Security Labs™ 2015 Healthcare Drill-Down Report, the healthcare industry sees 340 percent more security incidents than the average business sector. It is essential that potential risks are not overlooked. InfoSecurity points out that internal actors were responsible for 43% of data loss, half of which was intentional and half accidental, according to a recent study by Intel. Healthcare organizations must add a data-centric approach to their security posture to meet today’s security challenges.
The Healthcare industry is regulated by the Health Insurance Portability and Accountability Act (HIPAA) but achieving compliance with HIPAA or other mandates does not keep protected health data secure. These mandates and standards are the bare minimum to keep patient information safe. Many healthcare organizations still approach security with a check mark/compliance attitude. They look to see what control measures they have that can serve to check off a particular line item in the regulatory requirements – regardless of the effectiveness or ineffectiveness of these measures. As evidenced by the PHI breach list provided by the United States Department of Health and Human Services (HHS), doing the minimum to protect PHI is not enough.
Healthcare organizations need to map out how sensitive data comes in and flows through their organization, who accesses it, what they do with it and where copies of this information reside. This is not a small job, especially for large, complex healthcare organizations. This approach will allow the organizations to tailor the controls to protect PHI. Once this is done, organizations can put policies on usage and enforce them.
In the Verizon 2015 Data Breach Investigations Report, the most common healthcare breach is identified as simple errors – with the top 3 most common errors being publishing errors, documents or email sent to the wrong person and disposal errors.
As the actors in the healthcare sector collaborate, even in the most simple use cases such as file sharing, a perimeter based security paradigm quickly breaks down. There is no control over all devices, networks and applications that people use. The traditional paradigm of controlling the full technology stack commonly leads to failures. Data is either locked down tighter and tighter leading to lower productivity, or controls are relaxed, and data then leaks to devices, storage locations and to unauthorized users.
Data-centric security overcomes these issues by focusing on the user and the data processed by that user, all governed by a data-centric policy. Data-centric security protects data, regardless of location, device and application. Healthcare organizations must add a data-centric approach to their security posture and the overall approach of layered security.