Healthcare organizations have an obligation to safeguard electronic protected health information (ePHI), whether it’s due to government mandates or to build trust among patients. If they fail to meet this obligation, the penalties can be steep. Between data loss costs and regulatory fines, healthcare organizations are losing millions from data breaches.
A recent study by the Ponemon Institute, reported in 2017 each stolen healthcare record cost the victim organization $380, surpassing the global average of $141 per record. Recently, the U.S. Department of Health and Human Services fined Fresenius Medical Care Holdings, Inc., a supplier of medical equipment, $3.5 million for five separate data breaches that took place in 2012. The upcoming General Data Protection Regulation (GDPR), which puts healthcare data at a higher level than other EU personal data, will up the ante even further.
It's time for healthcare organizations to re-think how they are protecting their ePHI. First, they need to understand the top threats they are up against. Here are five significant threats facing today’s healthcare organizations:
- Insider Theft: Insider threats come in many flavors. Malicious insiders may steal sensitive data for profit or to purposefully cause harm. Non-malicious insiders may click on dangerous links or open suspicious attachments. Repeat offenders may repeatedly violate security policies, even after going through security awareness training. Compromised insiders may be masquerading as legitimate employees, seeking access to sensitive data. Insider theft falls into the first and last examples. Malicious insiders, whether they are compromised users or an employee looking to do harm, may steal sensitive ePHI to sell on the black market, start their own companies or damage the organization’s reputation.
- Broken Processes: Forcing employees to do their job in an environment where operating securely is difficult will inevitably lead to significant losses of ePHI. Most healthcare providers are caring for people that work hard to deliver the best healthcare. Protection of personal data comes second to the patient’s wellbeing, and if the secure way to work is not the easy way to work, it will lose every time. If the easiest and fastest way available to get a patient’s record to another provider is through unencrypted personal email or a use stick, then that is how it will get done. Broken business processes are probably the leading challenge to cyber security in healthcare and beyond.
- Phishers: Spear-phishers and phishers are two of the most common types of threats targeting healthcare organizations. External bad actors may send an email with a malicious link or attachment to a group of employees, persuading them to click or open it. In the case of spear-phishing, a bad actor may research a victim for months, collecting personal and professional information such as who works in their department, topics of interest, and what type of information their emails typically contain. The attacker then crafts a targeted email with a malicious link or attachment, pretending to be a close contact of the victim or an associate. In the healthcare industry specifically, bad actors know general counsels are sensitive about being sued, so they may craft an email about a potential lawsuit, coaxing the general counsel to open it.
- Third party contractors: Threats posed by third party contractors may be malicious (i.e. Edward Snowden) or non-malicious. In healthcare, they’re generally more often the latter. Multiple facilities often fall under one healthcare organization, that collectively outsources their information technology and security monitoring to third parties. Specific visibility into the riskiness of contractors and third-party vendor companies is often limited. Insights into their activities with other clients or parent firms is nonexistent. Some healthcare organizations work with hundreds of vendors, making it difficult to see who is touching ePHI and how they are interacting with it. Due to this lack of visibility, they would not know if a vendor leaked sensitive data, or if the vendor company was hacked.
- Negligent employees: Negligent employees are typically non-malicious threats, who make careless errors. During the course of their busy workday, they may pick up a file containing ePHI and put it in the wrong mailbox, or hand it to the wrong person. If one patient has the last name “McMahon” and another has the last name “McMahan,” it’s easy to confuse the two and send their files to the wrong place. In some cases, just one person’s name and personal information getting into the wrong hands constitutes a data breach.
It takes a combination of people, processes and technologies to detect and mitigate these threats before ePHI walks out the door. Business processes need to be designed to allow care providers to provide services while also keeping ePHI secure. In the case of non-malicious employees, targeted security awareness training that’s provided at the time of an error, based on specific policies violated, can significantly help reduce risk. Organizations should also create cyber security policies and procedures that spell out clear consequences for ePHI loss.
On the technology side, implementing the right identity management, access controls, endpoint and data protection toolsets in alignment with policies and procedures can go a long way towards securing the environment. They should use user and entity behavior analytics to gain visibility into employee and third-party vendor user activity and detect and prioritize activities that are putting ePHI at risk of a compromise. They should integrate UEBA technologies with traditional cyber tools that follow and protect data such as data loss prevention, CASB, multi-factor authentication and encryption.