Common Headline in 2015: Healthcare Data Breach

How many more data breaches can patients take? This could ultimately be the question based on last year and this year’s surge of healthcare data breaches. Once again, the personal health information of 3,000 people was leaked after a data breach at a Georgia program that offers services for seniors. The breach included the health diagnoses of people in the Community Care Services Program.

What was the cause? An email was mistakenly sent to a “contracted provider”.

We are all but too familiar with this kind of data breach. An insider not malicious, but nevertheless, accidently sends the sensitive data to wrong person, is one of the main reasons for these data breaches. Back in March 2015, an article at that point the Anthem and Premera data breaches had just occurred, and we were worried at that time as well. Four months have passed and the numbers are not slowing down.

In a recent study by the Ponemon Institute, a shockingly high 91 percent of respondents reporting falling victim to at least one data breach in the last two years. The majority of respondents had suffered 11 or more incidents. However, the main reason for that report, and what healthcare organizations should of realized is not that this industry has failed in the realms of data security. It should be that these organizations should now, even right this minute, take the necessary steps to securing and encrypting their data. More and more laws are being put into place, and those in violation of not abiding by these laws to secure customers’ data will result not only in loss of customers, but hefty fines.

Unfortunately, even at a time where legislation is making the push for these laws to encrypt all data, there was a recent announcement by UCLA Health System, and now the data breach has affecting over 4.5 million people. The stolen data was totally unencrypted making the threat to the people whose data was in the UCLA Health Systems computers more serious. But then again, as we just mentioned it is not too late to make the decision to secure the data.

How do we secure that data? Well, using a multilayered approach to information security that focuses on the data rather than the perimeter is a more effective way to deal and mitigate these threats. A data-centric security model with people-centric policy allows you to implement effective file-level security policies and granular permission controls for all kinds of data no matter where they are.

Here are some advantages from a previous blog, but still applies to providing a data-centric security approach to protecting your sensitive information:

· Encrypt PHI (Protected Health Information) to meet HIPAA and new data protection legislation

· Secure files downloaded from heath information systems

· Control who can View, Edit, Print and take a Screen Capture of protected documents

· Dynamically control who can access the file

· Trace and control user/file activities in real-time

· Scan files to identify PHI and apply security policies automatically

Protecting your patient’s information ensures you meet healthcare regulations and ensures patient confidentiality. Reduce the risk of HIPAA violations and PHI exposure in a time where healthcare data breaches alone are reaching record numbers in 2015.

Photo credit by: Purple Slog

Still Not Encrypting Your Data?

Are we still not encrypting our data in a time when cyber-attacks have been happening to so many big names in the healthcare, retail and government? Recently, UCLA Health System’s computer network was broken into by hackers and may have accessed sensitive information on as many as 4.5 million patients. The information included names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.

The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.

The reason why this is making even more news is that UCLA did not take the basic steps even after all the major breaches on the federal government as well as health insurance giant Anthem Inc., to encrypt patients’ data. This has drawn swift criticism from security experts and patient advocates. It is not a secret that the healthcare industry has been the target of many data breaches. However, the continuation of these breaches seems to continue, and the vulnerability of these systems has made it a field day for hackers to steal sensitive data.

Nowadays, it is not only business and patients not going to their hospital that they have to worry about, but now the government will investigate breaches of patient privacy and can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.

However, compliance aside, the most important aspect is to ensure that this information is really protected. In a recent article, in HIT Leaders and News, the article mentions how “while compliance is still a major driver in healthcare, compliance does not equal security. Organizations that drive data security efforts based on compliance put their data at risk. Healthcare organizations need to take a more holistic and proactive approach in their data security strategy.”

Also mentioned in this article is the fact the recent legislation in New Jersey has taken the step of mandating the use of encryption for PHI or Protected Health Information that “renders personal information unreadable, undecipherable or unusable by unauthorized persons.” Now this definitely means more than just having a password to your data, but it is pushing for you to have a more robust method to ensure that all aspects of the data are secure, no matter where it is.

Let us hope that such data breaches as this one have hopefully provided a lesson to other healthcare organizations and other organizations from different industries that they must implement security and encryption to “completely block the path to your most valuable assets.”

Photo credit by: jfcherry

The Debate of Encrypting to Prevent Data Breaches

All the data breaches in the news these days have caused many to think about encrypting their data to prevent the losses a breach will bring. With one of the biggest private health care providers in the US falling victim to a massive data breach, we can learn from its experience.

Even though credit card information wasn’t exposed, other sensitive data was, including names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.

So the question here is why no encryption? According to SC Magazine, the institution felt it had other security strategies. Unfortunately this is not the only incident of a data breach in the healthcare industry. From stolen laptops containing sensitive patient information to back doors planted in systems, information detailing abnormalities in usage behavior should be enough for IT administrators to notice and act upon.

The topic that needs to be discussed and agreed upon is a clear understandable encryption standard for the US and globally. Other countries are pushing these standards and requiring further encryption details for companies to abide by.

Encryption can be tuned to limit the amount of data that even authorized users can view at one time. That makes it harder for an outsider to copy a whole stockpile of records. All data nowadays, especially health care providers, should expect their data to be encrypted from end to end.

Fasoo Enterprise DRM (Digital Rights Management) could have prevented the exposure in this situation, even though credentials were stolen and used to access the data. If Fasoo monitored this situation, it would have noticed the excessive activity and the access to this data would have been revoked. Even if the information had been stolen, it would be inaccessible to unauthorized users.

Photo Credit: Yuri Samollov

It’s a Bad Week for the Healthcare Industry

It definitely has been one of the worst weeks for data breaches in the healthcare industry. We went from big news from Worcester, MA with UMASS Memorial Medical Group (UMMG) reporting an insider data breach of about 14,000 patient health information, to probably the biggest not healthcare data breach but potentially the biggest breach of the year with up to 80 million patient personal records on the line. The recent breaches have sparked debate whether federal law should be changed so healthcare companies would be required to encrypt sensitive data they hold. The FBI last year also warned healthcare companies industry wide that their data security practices needed to be strengthened amid the growing threat of cyberattacks.

Although the Anthem Inc. breach was commended for detecting the breach only weeks after it apparently began, unlike the UMMG breach, it still says to patients who entrust their sensitive information to these organizations that these breaches will continue to occur. However, with big names like Anthem making the headlines, it is with great hope that these organizations are coming along and understanding the need to protect their data. Healthcare data holds a much longer shelf life than just a stolen credit card, which is

why that data is becoming increasingly popular to cyber criminals. That type of information can be used to open up credit accounts, perform identity theft, medical billing fraud, and insurance fraud.

Although security awareness and training is valuable and helpful, the time to make sure that data itself is secure is now. Making sure that the data is encrypted and permissions to those data are in control proves to mitigate the risk of exposure even after the data is stolen. Whether this is by outside hackers or insiders, data itself must be persistently secure.

Fasoo Enterprise DRM (Digital Rights Management) provides organization such as the two mentioned above and whole lot more in many different industries with the ability to protect, control and trace sensitive data containing intellectual property, patient health information (PHI), personally identifiable information (PII) and more. It maintains file protection and prevents unintended information disclosure no matter where the data is.

Having your data DRM protected with Fasoo, will mitigate the risk and ensure that you won’t make the news for the same reasons as UMMG or Anthem Inc. are. Doesn’t that sound like a plan?

Photo Credit: Perspecsys Photos

Blog

Common Headline in 2015: Healthcare Data Breach

Still Not Encrypting Your Data?

The Debate of Encrypting to Prevent Data Breaches

It’s a Bad Week for the Healthcare Industry