Blog

Tag: people-centric

Seven Employees at ProMedica Hospitals Breach Patient InformationRecently ProMedica Bixby and Herrick Hospitals contacted 3,472 patients informing them that their private medical records had been improperly accessed by seven employees.  As is standard practice with the breach of patient information, patients received letters from ProMedica explaining the situation, the hospital’s action plan to prevent additional breaches and offering a full year of free credit protection monitoring. The hospital also reported this incident of an insider threat to the U.S. Department of Health and Human Services.

The breach was discovered on April 7, 2016.  An internal investigation revealed that seven employees accessed patient medical records for patients they were not treating, without a valid business or clinical reason between May 1, 2014 and April 26, 2016. The information accessed included the patient’s full name, address, phone number, date of birth, insurance, diagnosis, medications and other clinical information. ProMedica commented that it did not appear that the employees intended to retain or use the information accessed, but could not verify it.  Not being able to verify intent or access is a major problem with sensitive information.

On May 12, 2016 during a congressional hearing, FDIC CIO Lawrence Gross Jr. was questioned by Congresswoman Lofgren about 7 recent data breaches by employees and if the FDIC had any technology in place to ensure that information that was inappropriately accessed and returned was not indeed further copied or reproduced. Lawrence Gross commented the FDIC did not have the technology in place.

These examples illustrate the challenges security officers and other executives face when trying to protect sensitive information.  What was once considered sufficient to guard an organization’s IT perimeter is no longer effective by itself against the most damaging problem – insider threats.

Today, the right solution is to add data-centric security to traditional perimeter security. Data-centric security includes methods to protect data as it travels both within the organizational perimeter and beyond, by limiting access to sensitive data according to policies that cover both users and activities. With this approach, an organization can locate sensitive data and monitor the ways users copy, move, and access it over time. Since data-centric security incorporates identity management systems to correlate specific users with activity on sensitive data, security officers can not only prevent unauthorized activity automatically, they can detect suspicious behavior patterns to take action before it’s too late. When necessary, they can even render sensitive data useless with a simple click of a mouse.

A particular set of data-centric security techniques focuses on unstructured data – files stored on PCs, file servers, other repositories and the mobile devices that more people are using to access enterprise networks – as it is stored, accessed, moved, and used over time.

Data-centric security should also allow users to work without undue interruptions as they pass information among multiple devices. A people-centric policy allows for flexibility and dynamic enforce-ability based on the contexts of content, users, devices, time of day, location, and so on, acknowledging the need for exceptions to predefined policies based on the unpredictable nature of legitimate data creation and usage while relying on advanced analytics to catch excessive deviations from the norm.

If the hospitals and the FDIC has used these approaches, no sensitive data would have been breached or misused, since only authorized users could have accessed the information.  Are you looking at a better way to protect your data from insider threats?

Healthcare Data Breach - Unauthorized Access for Seven YearsUnityPoint Health-Allen Hospital has made the news very recently as one of the latest healthcare environments that had a data breach. While on the surface this news appears to be just another healthcare data breach, there is something very different about it; the breach occurred over a span of seven years and was only recently discovered and reported.

A “former employee” accessed 1,620 patient records that contained personal information and may have seen patients’ names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to their treatments.

The Allen Hospital compliance team detected inappropriate access that started in September 2009 and ended in March 2016.  They started a review that resulted in the notification of the breach to the U.S. Department of Health and Human Services and impacted patients.

Why was this inappropriate access not immediately detected with all the technology in place to ensure HIPAA compliance?  What was missing?

A common pattern in healthcare today is that most healthcare organizations are more interested in simply putting a check mark in their HIPAA compliance mandates for encryption rather that doing what is necessary to truly secure PHI and PII. Today’s common practice is to protect information when it’s stored or when sent via email. The moment an application or a user has to use that data, sensitive information gets decrypted. The data is now in the clear.  Anyone can print it, copy it, take a screen capture of it or even download it into a report.  All control is lost regardless of the various perimeter based solutions that are in place for compliance.

A data-centric approach to confidential information security combined with people-centric attributes not only can keep healthcare environments compliant, but make them compliant in a way that is truly secure and compliments traditional perimeter security.  Combining data-centric security would ensure that data is protected as it travels both within the organizational perimeter and beyond. It would limit access to sensitive data according to policies that cover both users and activities. It would open up techniques to determine where sensitive data exists throughout the enterprise, to monitor such data by analyzing the ways in which users copy, move, and access it over time. This approach would incorporate identity management systems to correlate specific users with activity on sensitive data and provide a means to prevent unauthorized activity automatically, detect suspicious behavior patterns and offer specific actions in real time on a continual basis. It can go as far as render breached data useless with the click of a button.

Healthcare organizations need to understand that the data they are entrusted with and maintain is extremely valuable, and highly sought after by cyber criminals. They also need to take a proactive and not a reactive approach when it comes to securing patient information.  Simply put, healthcare organizations must catch up to other industries like financial services and bring data security to the data itself using a data-centric and people-centric approach.

Categories
Book a meeting