Tag: healthcare data breach

Encrypt PHI and apply persistent security policies to stop healthcare data breachesToday, nobody argues that the healthcare industry is a gold mine for the bad guys and theft of protected health information is becoming a regular event. The “Verizon 2015 Protected Health Information Data Breach Report,” indicated that 90 percent of industries in the medical and health care arena have experienced a PHI breach and with all the reports in the media, it is clear to everyone that the situation has reached a critical point.

In 2015, we witnessed numerous health insurers and hospital systems fall victim to data breaches. While Anthem and Premera were just some of the bigger names making regular headlines last year, attacks were seen to reach even physicians’ offices.  Just recently Centene Corporation and IU Health Arnett lost hard drives that compromised almost 1,000,000 people.

Every direction we look, there is significant use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Whether it is the physician’s office, hospitals, insurers, medical associations, laboratories, disease registries, or government agencies, everyone is gathering digital pieces of information on the health status, care details, and health care costs of Americans. Along with personally identifiable information (PII) like names, mailing addresses, email aliases and dates of birth, healthcare entities also hold extremely personal and protected health data, such as lab results, reports, prescribed medications and medical conditions.  In the event of a breach, unlike a credit card number, none of this information can be easily changed and the lifecycle of such information is very long – in some cases forever.

The Affordable Care Act has created significant incentives for doctors’ offices to embrace EHR systems as a replacement for paper-based medical records systems. So, now data has been integrated in an effort to do away with siloed approaches within provider groups, health plans, or government offices.

While the industry and governance bodies talk compliance, and claim protected health information is safe and secure, this is far from the truth as evidenced by the constant data breaches that are disclosed. With all the time, effort and money spent on traditional security tools used to achieve compliance, thieves bent on theft are still able to gain access to PHI for monetary gain.

The healthcare industry should consider the following steps to remain secure and stop healthcare data breaches:

  • Realize and accept your risk – Take note that the protected health data you possess is a target of criminals. Simply complying with HIPAA does not equate to properly securing and locking away PHI data from unauthorized use.
  • Identify where your PHI data is and who has access to it – Most often healthcare entities have false ideas on where sensitive data is stored and who has access to PHI. It often escapes people’s minds that their users copy sensitive data accessed from secure locations by localizing them or moving copies around. The result is security and control being lost and copies floating around on thumb drives, disks, email, laptops, home computers, and paper printouts.
  • Properly secure your data – Most, if not all, entities dealing with healthcare data secure PHI at rest and in motion while they completely miss a significant threat gap – “data in use”.
    • Label or classify data
    • Encrypt your data
    • Persistently protect data using policy-driven methods
    • Track and monitor usage
    • Dynamically adjust usage policies and access
  • Plan for breach response
    • Have means to render breached data useless
    • Have an Incident Response Plan

You can stop healthcare data breaches by putting in place data-centric, persistent security to avoid finding yourself scrambling around after the damage has been done to you and your patients.

Will Healthcare Data Breaches Increase in 2016?A recent article in Forbes addresses the massive healthcare data breaches in 2015 where over 112 million records were lost, stolen or inappropriately accessed.  The Office of Civil Rights (OCR) under the department of Health and Human Services publishes these data breaches as reported to it and required by HIPAA.  The numbers are a bit staggering.  The top ten data breaches accounted for the majority of the violations and most of the headlines focused on hackers.

While hackers breaking into systems make the headlines, there are also a large number of data breaches as a result of negligence, lost or stolen devices and basic human error.  A data breach study from 2015 estimates that breaches cost the healthcare industry about $5.6 billion annually.  While companies like Anthem may have insurance against this type of loss, you can bet those premiums are passed along to consumers through rising healthcare insurance and other increases.

As healthcare moves toward connected care, the amount of data exchanged between organizations will only grow.  So what does this mean?  It means that in 2016, we’re going to see a huge movement towards encryption in hospitals and other healthcare facilities in order to protect EHRs and other vulnerable PHI.

According to a 2014 Healthcare Breach Report, 68 percent of all healthcare data breaches since 2010 are due to device theft or loss. The headlines make it appear that hackers are attacking databases, but the reality is most of the problems are from unstructured content inside documents – and those documents are not encrypted.  Encrypting data is vital to protecting patient information.  Recent privacy and security laws, like those from New Jersey, are mandating that insurance carriers must encrypt personal information. This will logically include anyone that deals with the carriers and handles PHI.

Can we expect more of the same in 2016 or will healthcare providers and anyone dealing with PHI begin to see the light?  Legislation is getting tougher and consumer outcry may help turn the tide.  As credit card data becomes less valuable, PHI becomes more valuable.  Anthem may have insurance that covers their losses, but once your healthcare records are compromised, it’s difficult to stop the bad guys from causing you financial and legal pain.


Photo credit Intel Free Press

Book a meeting