In a slideshow recently published in IT Business Edge, breaches within healthcare organizations hit an all-time high in 2015. With healthcare records growing in value, cybercriminals have realized they can get a quick payout by hacking this confidential information and selling it to other malicious actors or groups.
Healthcare organizations have become easy targets because they tend to place more emphasis on compliance rather than important security measures. Meeting the letter of the law does not mean you are safe and secure. Imagine if your doctor only did the bare minimum during surgery to make sure you complied with a text book procedure, rather than actually finishing the job.
I’ve outlined 5 steps every healthcare organization can take to ensure better security of sensitive patient data:
Always encrypt sensitive health data and files, especially if you share them through file shares and when in storage.
Stewards of heath data need to control which employees can access the information and what they are allowed to do with it.
Do not simply rely on perimeter security tools – create a PHI off switch that allows the organization to render PHI useless as needed. The switch makes PHI immediately unavailable to users on or off the network.
Implement a data-centric approach and place security above compliance. In today’s sophisticated threat environment, it is crucial to focus on protecting the data, not just the system where it lives.
Use a data security framework to monitor PHI, control access to PHI, and identify where it is located within the system.
Protected Health Information (PHI) security and patient privacy are major areas of concern for today’s health care providers, insurers, and their business partners. With each passing month, we are witnessing major new data breach incidents in the news that continually increase the number of individuals whose PHI is exposed.
Protected Health Information is an attractive target for the bad guys due to several reasons. Significant amounts of personal information in health records have a very long lifespan and most information contained in them cannot be easily changed. Information like social security numbers, addresses, illness information and treatments can’t be disabled or replaced with ease unlike credit cards. The information has significantly more value, retains its value over time, they are poorly secured, and on top of it cannot be disabled – with current technologies used in most healthcare environments – once they are breached. As the market rushed to digitize health records under the auspices of improved care, not much care was given to develop and implement the type of information security protocols needed to truly protect this information. So, hackers were lead to target protected health information (PHI) for big paybacks.
There are many sources available besides the daily barrage of data breaches that make the headlines – U.S. Department of Health & Human Services – Office for Civil Rights Breach Portal and Identity Theft Resource Center that provide detailed information on the scope of the data breach carnage. The alarming scope of data breaches have over time prompted a number of states to pass legislation – a reaction after the fact – in an attempt to protect the personal data of healthcare consumers. But, they fall short.
In my home state of New Jersey, a bill that was passed amending the New Jersey Consumer Fraud Act codified at N.J.S.A. 56:8-196 to 56:8-198 which became effective as of August 1, 2015. This amended law – only now – requires healthcare entities like hospitals, insurance companies, and providers, servicing patients within the state to encrypt confidential patient information or secure personal information. However, much like HIPAA and various other state mandates, the law only goes as far as suggesting sensitive data must be protected by technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person – N.J.S.A. 56:8-197. This requirement applies to removable media, laptops, desktop computers, tablets and mobile devices to protect personal information including a person’s first name, or first initial and last name linked with at least one of the following:
Social Security number
Driver’s license number or other state identification card number
Address
Identifiable health information
The law enables the attorney general to enforce it with penalty fines ranging from $10,000 for a first offense to $20,000 for all subsequent offenses and opens a path for class action lawsuits. Unfortunately, it still misses the mark to be effective.
The right way to protect patient and health information should have started by giving full control of medical information to patients themselves. This approach would have forced medical electronic records to be more portable, forced implementation of true security rather than what is in place in most healthcare environments for “compliance” or “convenience” reasons, and would have forced notification mechanisms to catch potential threats in real time. It also would have provided patients with the ability to share their data with only those they deem appropriate and would have given them the ability to control and deny access, what authorized users could do with the data trusted to them and would have provided patients the ability to render data useless if and when necessary.
In the absence of this, the best any healthcare entity can implement is to first and foremost, discover where their sensitive patient information is, implement data-centric and people centric encryption and use policies to control, track and govern health information.
This is not a radical idea and the technology to properly secure PHI exists today. Those interested in what they can do to implement the best approach to data security can use Fasoo’s Data Security Framework as a blueprint for a true security program that meets and exceeds today’s needs and advanced persistent threats.
Today, nobody argues that the healthcare industry is a gold mine for the bad guys and theft of protected health information is becoming a regular event. The “Verizon 2015 Protected Health Information Data Breach Report,” indicated that 90 percent of industries in the medical and health care arena have experienced a PHI breach and with all the reports in the media, it is clear to everyone that the situation has reached a critical point.
In 2015, we witnessed numerous health insurers and hospital systems fall victim to data breaches. While Anthem and Premera were just some of the bigger names making regular headlines last year, attacks were seen to reach even physicians’ offices. Just recently Centene Corporation and IU Health Arnett lost hard drives that compromised almost 1,000,000 people.
Every direction we look, there is significant use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Whether it is the physician’s office, hospitals, insurers, medical associations, laboratories, disease registries, or government agencies, everyone is gathering digital pieces of information on the health status, care details, and health care costs of Americans. Along with personally identifiable information (PII) like names, mailing addresses, email aliases and dates of birth, healthcare entities also hold extremely personal and protected health data, such as lab results, reports, prescribed medications and medical conditions. In the event of a breach, unlike a credit card number, none of this information can be easily changed and the lifecycle of such information is very long – in some cases forever.
The Affordable Care Act has created significant incentives for doctors’ offices to embrace EHR systems as a replacement for paper-based medical records systems. So, now data has been integrated in an effort to do away with siloed approaches within provider groups, health plans, or government offices.
While the industry and governance bodies talk compliance, and claim protected health information is safe and secure, this is far from the truth as evidenced by the constant data breaches that are disclosed. With all the time, effort and money spent on traditional security tools used to achieve compliance, thieves bent on theft are still able to gain access to PHI for monetary gain.
The healthcare industry should consider the following steps to remain secure and stop healthcare data breaches:
Realize and accept your risk – Take note that the protected health data you possess is a target of criminals. Simply complying with HIPAA does not equate to properly securing and locking away PHI data from unauthorized use.
Identify where your PHI data is and who has access to it – Most often healthcare entities have false ideas on where sensitive data is stored and who has access to PHI. It often escapes people’s minds that their users copy sensitive data accessed from secure locations by localizing them or moving copies around. The result is security and control being lost and copies floating around on thumb drives, disks, email, laptops, home computers, and paper printouts.
Properly secure your data – Most, if not all, entities dealing with healthcare data secure PHI at rest and in motion while they completely miss a significant threat gap – “data in use”.
Persistently protect data using policy-driven methods
Track and monitor usage
Dynamically adjust usage policies and access
Plan for breach response
Have means to render breached data useless
Have an Incident Response Plan
You can stop healthcare data breaches by putting in place data-centric, persistent security to avoid finding yourself scrambling around after the damage has been done to you and your patients.
Massive PHI Breach at Children’s Medical Clinics of East Texas
An employee of the Children’s Medical Clinics with a retaliatory agenda to cause damage to the clinic’s reputation, stole and improperly disclosed the confidential data of 16,000 patients. Notification letters were sent to affected people to inform them that an employee took paper records from the facility and sent screenshots of electronic patient records to a former clinic employee. The Office for Civil Rights (OCR) health data breach portal indicates patient names, dates of birth, diagnostic information and treatment information were disclosed.
Challenge
Your employees access sensitive and confidential patient information daily so they can do their jobs. Without persistent data-centric security, they can devise creative ways to defeat traditional perimeter based security measures. They can change the name of a sensitive file before printing it to avoid detection by security systems or make screen captures of sensitive information. If you are in healthcare, you need to protect printed PHI and other sensitive information from easily leaving your premises. This is a HIPAA violation and can result in massive fines and legal action.
Fasoo Solution
Advantages
Fasoo can block printing or require approval prior to printing a document if the document contains sensitive information. Each printout can be forced to contain a visible watermark showing who printed it, including company logo, user name, IP address, time, date and other identifying information. This allows you to know the source of a potential data breach and deters people from inappropriate behavior when handling sensitive patient information. This solution works with any physical or virtual printer eliminating problems of using different printers or printer drivers. A full audit trail of all print activities, including the text or image of the actual printed content, ensures complete control of your printing environment. In addition, Fasoo can prevent screen captures. These features reduce risk of exposing patient information.
Restrict printing documents with PHI or other sensitive information
Require authentication prior to retrieving a printout
Apply dynamic watermarks to printouts without user intervention
Trace and manage printing activities, including the actual content of documents in text or image format
Limit printing to virtual printers
Control who can View, Edit, Print and take a Screen Capture
Healthcare data breach due to misplaced flash drives seem to be a rising trend as recently another case was reported on August 7, 2015. Lawrence General Hospital in Massachusetts reported that a flash drive was missing. Even though it had very limited patient information, it did include lab testing information such as patient names, lab testing codes and slide identification numbers. Letters to about 2,000 patients were sent out, and have yet to locate the flash drive. According to their website, the misplaced flash drive was “unencrypted”.
How many times have we heard this type of data breach occur and appear on our news feed?
In July, OhioHealth had reported a similar data breach, after discovering that a flash drive had gone missing. Approximately 1,000 patients’ data became vulnerable, and about 30 or so Social Security numbers were compromised. As in the previous mentioned data breach this flash drive was “unencrypted” well. In addition, in South Carolina, a safe containing two flash drives and two hard drives containing EMS patients’ Social Security numbers, patient names and addresses and clinical information were stolen, and you guessed it, the flash drives were unencrypted.
It is not enough just to reinforce staff training and education on the “importance” of handling patient information securely, the data itself must be protected persistently no matter where it goes. By the results of these three incidents, it should now be without a doubt considered that flash drives carrying sensitive information including PHI (Protected Health Information) and other limited patient information to be encrypted with data-centric security.
By adding context aware data protection to your security framework, you can guarantee that only authorized people can access sensitive PHI no matter where it is. By encrypting this data and applying persistent security policies to it, even if the data leaves your network in a flash drive such as in this case, it is still protected and always under the appropriate control.
As breaches of this nature continue to occur, it is important that healthcare providers continue to emphasize not only the importance of health data secure but also for the healthcare organizations themselves to make sure that they have the appropriate data security to protect against external and internal threats on all of their devices, especially on flash drives.
How many more data breaches can patients take? This could ultimately be the question based on last year and this year’s surge of healthcare data breaches. Once again, the personal health information of 3,000 people was leaked after a data breach at a Georgia program that offers services for seniors. The breach included the health diagnoses of people in the Community Care Services Program.
What was the cause? An email was mistakenly sent to a “contracted provider”.
We are all but too familiar with this kind of data breach. An insider not malicious, but nevertheless, accidently sends the sensitive data to wrong person, is one of the main reasons for these data breaches. Back in March 2015, an article at that point the Anthem and Premera data breaches had just occurred, and we were worried at that time as well. Four months have passed and the numbers are not slowing down.
In a recent study by the Ponemon Institute, a shockingly high 91 percent of respondents reporting falling victim to at least one data breach in the last two years. The majority of respondents had suffered 11 or more incidents. However, the main reason for that report, and what healthcare organizations should of realized is not that this industry has failed in the realms of data security. It should be that these organizations should now, even right this minute, take the necessary steps to securing and encrypting their data. More and more laws are being put into place, and those in violation of not abiding by these laws to secure customers’ data will result not only in loss of customers, but hefty fines.
Unfortunately, even at a time where legislation is making the push for these laws to encrypt all data, there was a recent announcement by UCLA Health System, and now the data breach has affecting over 4.5 million people. The stolen data was totally unencrypted making the threat to the people whose data was in the UCLA Health Systems computers more serious. But then again, as we just mentioned it is not too late to make the decision to secure the data.
How do we secure that data? Well, using a multilayered approach to information security that focuses on the data rather than the perimeter is a more effective way to deal and mitigate these threats. A data-centric security model with people-centric policy allows you to implement effective file-level security policies and granular permission controls for all kinds of data no matter where they are.
Here are some advantages from a previous blog, but still applies to providing a data-centric security approach to protecting your sensitive information:
· Encrypt PHI (Protected Health Information) to meet HIPAA and new data protection legislation
· Secure files downloaded from heath information systems
· Control who can View, Edit, Print and take a Screen Capture of protected documents
· Dynamically control who can access the file
· Trace and control user/file activities in real-time
· Scan files to identify PHI and apply security policies automatically
Protecting your patient’s information ensures you meet healthcare regulations and ensures patient confidentiality. Reduce the risk of HIPAA violations and PHI exposure in a time where healthcare data breaches alone are reaching record numbers in 2015.
Are we still not encrypting our data in a time when cyber-attacks have been happening to so many big names in the healthcare, retail and government? Recently, UCLA Health System’s computer network was broken into by hackers and may have accessed sensitive information on as many as 4.5 million patients. The information included names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.
The intrusion is raising fresh questions about the ability of hospitals, health insurers and other medical providers to safeguard the vast troves of electronic medical records and other sensitive data they are stockpiling.
The reason why this is making even more news is that UCLA did not take the basic steps even after all the major breaches on the federal government as well as health insurance giant Anthem Inc., to encrypt patients’ data. This has drawn swift criticism from security experts and patient advocates. It is not a secret that the healthcare industry has been the target of many data breaches. However, the continuation of these breaches seems to continue, and the vulnerability of these systems has made it a field day for hackers to steal sensitive data.
Nowadays, it is not only business and patients not going to their hospital that they have to worry about, but now the government will investigate breaches of patient privacy and can levy significant fines for violations under the Health Insurance Portability and Accountability Act, also known as HIPAA.
However, compliance aside, the most important aspect is to ensure that this information is really protected. In a recent article, in HIT Leaders and News, the article mentions how “while compliance is still a major driver in healthcare, compliance does not equal security. Organizations that drive data security efforts based on compliance put their data at risk. Healthcare organizations need to take a more holistic and proactive approach in their data security strategy.”
Also mentioned in this article is the fact the recent legislation in New Jersey has taken the step of mandating the use of encryption for PHI or Protected Health Information that “renders personal information unreadable, undecipherable or unusable by unauthorized persons.” Now this definitely means more than just having a password to your data, but it is pushing for you to have a more robust method to ensure that all aspects of the data are secure, no matter where it is.
Let us hope that such data breaches as this one have hopefully provided a lesson to other healthcare organizations and other organizations from different industries that they must implement security and encryption to “completely block the path to your most valuable assets.”
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
3rd Party Cookies (Analytics)
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!