Blog

Tag: Premera

Encrypt PHI and apply persistent security policies to stop healthcare data breachesToday, nobody argues that the healthcare industry is a gold mine for the bad guys and theft of protected health information is becoming a regular event. The “Verizon 2015 Protected Health Information Data Breach Report,” indicated that 90 percent of industries in the medical and health care arena have experienced a PHI breach and with all the reports in the media, it is clear to everyone that the situation has reached a critical point.

In 2015, we witnessed numerous health insurers and hospital systems fall victim to data breaches. While Anthem and Premera were just some of the bigger names making regular headlines last year, attacks were seen to reach even physicians’ offices.  Just recently Centene Corporation and IU Health Arnett lost hard drives that compromised almost 1,000,000 people.

Every direction we look, there is significant use of electronic medical records, electronic prescribing, and digital imaging by health care providers. Whether it is the physician’s office, hospitals, insurers, medical associations, laboratories, disease registries, or government agencies, everyone is gathering digital pieces of information on the health status, care details, and health care costs of Americans. Along with personally identifiable information (PII) like names, mailing addresses, email aliases and dates of birth, healthcare entities also hold extremely personal and protected health data, such as lab results, reports, prescribed medications and medical conditions.  In the event of a breach, unlike a credit card number, none of this information can be easily changed and the lifecycle of such information is very long – in some cases forever.

The Affordable Care Act has created significant incentives for doctors’ offices to embrace EHR systems as a replacement for paper-based medical records systems. So, now data has been integrated in an effort to do away with siloed approaches within provider groups, health plans, or government offices.

While the industry and governance bodies talk compliance, and claim protected health information is safe and secure, this is far from the truth as evidenced by the constant data breaches that are disclosed. With all the time, effort and money spent on traditional security tools used to achieve compliance, thieves bent on theft are still able to gain access to PHI for monetary gain.

The healthcare industry should consider the following steps to remain secure and stop healthcare data breaches:

  • Realize and accept your risk – Take note that the protected health data you possess is a target of criminals. Simply complying with HIPAA does not equate to properly securing and locking away PHI data from unauthorized use.
  • Identify where your PHI data is and who has access to it – Most often healthcare entities have false ideas on where sensitive data is stored and who has access to PHI. It often escapes people’s minds that their users copy sensitive data accessed from secure locations by localizing them or moving copies around. The result is security and control being lost and copies floating around on thumb drives, disks, email, laptops, home computers, and paper printouts.
  • Properly secure your data – Most, if not all, entities dealing with healthcare data secure PHI at rest and in motion while they completely miss a significant threat gap – “data in use”.
    • Label or classify data
    • Encrypt your data
    • Persistently protect data using policy-driven methods
    • Track and monitor usage
    • Dynamically adjust usage policies and access
  • Plan for breach response
    • Have means to render breached data useless
    • Have an Incident Response Plan

You can stop healthcare data breaches by putting in place data-centric, persistent security to avoid finding yourself scrambling around after the damage has been done to you and your patients.

Common Headline in 2015: Healthcare Data Breach

How many more data breaches can patients take? This could ultimately be the question based on last year and this year’s surge of healthcare data breaches. Once again, the personal health information of 3,000 people was leaked after a data breach at a Georgia program that offers services for seniors. The breach included the health diagnoses of people in the Community Care Services Program.

What was the cause? An email was mistakenly sent to a “contracted provider”.

We are all but too familiar with this kind of data breach. An insider not malicious, but nevertheless, accidently sends the sensitive data to wrong person, is one of the main reasons for these data breaches. Back in March 2015, an article at that point the Anthem and Premera data breaches had just occurred, and we were worried at that time as well. Four months have passed and the numbers are not slowing down.

In a recent study by the Ponemon Institute, a shockingly high 91 percent of respondents reporting falling victim to at least one data breach in the last two years. The majority of respondents had suffered 11 or more incidents. However, the main reason for that report, and what healthcare organizations should of realized is not that this industry has failed in the realms of data security. It should be that these organizations should now, even right this minute, take the necessary steps to securing and encrypting their data. More and more laws are being put into place, and those in violation of not abiding by these laws to secure customers’ data will result not only in loss of customers, but hefty fines.

Unfortunately, even at a time where legislation is making the push for these laws to encrypt all data, there was a recent announcement by UCLA Health System, and now the data breach has affecting over 4.5 million people. The stolen data was totally unencrypted making the threat to the people whose data was in the UCLA Health Systems computers more serious. But then again, as we just mentioned it is not too late to make the decision to secure the data.

How do we secure that data? Well, using a multilayered approach to information security that focuses on the data rather than the perimeter is a more effective way to deal and mitigate these threats. A data-centric security model with people-centric policy allows you to implement effective file-level security policies and granular permission controls for all kinds of data no matter where they are.

Here are some advantages from a previous blog, but still applies to providing a data-centric security approach to protecting your sensitive information:

 

· Encrypt PHI (Protected Health Information) to meet HIPAA and new data protection legislation

· Secure files downloaded from heath information systems

· Control who can View, Edit, Print and take a Screen Capture of protected documents

· Dynamically control who can access the file

· Trace and control user/file activities in real-time

· Scan files to identify PHI and apply security policies automatically

 

Protecting your patient’s information ensures you meet healthcare regulations and ensures patient confidentiality.  Reduce the risk of HIPAA violations and PHI exposure in a time where healthcare data breaches alone are reaching record numbers in 2015.

 

Photo credit by: Purple Slog

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.