UnityPoint Health-Allen Hospital has made the news very recently as one of the latest healthcare environments that had a data breach. While on the surface this news appears to be just another healthcare data breach, there is something very different about it; the breach occurred over a span of seven years and was only recently discovered and reported.
A “former employee” accessed 1,620 patient records that contained personal information and may have seen patients’ names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to their treatments.
The Allen Hospital compliance team detected inappropriate access that started in September 2009 and ended in March 2016. They started a review that resulted in the notification of the breach to the U.S. Department of Health and Human Services and impacted patients.
Why was this inappropriate access not immediately detected with all the technology in place to ensure HIPAA compliance? What was missing?
A common pattern in healthcare today is that most healthcare organizations are more interested in simply putting a check mark in their HIPAA compliance mandates for encryption rather that doing what is necessary to truly secure PHI and PII. Today’s common practice is to protect information when it’s stored or when sent via email. The moment an application or a user has to use that data, sensitive information gets decrypted. The data is now in the clear. Anyone can print it, copy it, take a screen capture of it or even download it into a report. All control is lost regardless of the various perimeter based solutions that are in place for compliance.
A data-centric approach to confidential information security combined with people-centric attributes not only can keep healthcare environments compliant, but make them compliant in a way that is truly secure and compliments traditional perimeter security. Combining data-centric security would ensure that data is protected as it travels both within the organizational perimeter and beyond. It would limit access to sensitive data according to policies that cover both users and activities. It would open up techniques to determine where sensitive data exists throughout the enterprise, to monitor such data by analyzing the ways in which users copy, move, and access it over time. This approach would incorporate identity management systems to correlate specific users with activity on sensitive data and provide a means to prevent unauthorized activity automatically, detect suspicious behavior patterns and offer specific actions in real time on a continual basis. It can go as far as render breached data useless with the click of a button.
Healthcare organizations need to understand that the data they are entrusted with and maintain is extremely valuable, and highly sought after by cyber criminals. They also need to take a proactive and not a reactive approach when it comes to securing patient information. Simply put, healthcare organizations must catch up to other industries like financial services and bring data security to the data itself using a data-centric and people-centric approach.