A common misconception is that IT teams can manually compile a list of sensitive data
Counted among the biggest health data breaches of 2019, Quest Diagnostics reported the exposure of its 11.9 million patients’ personal data. An access breach by an unauthorized user at Quest’s billing collection vendor’s site resulted in this unfortunate disaster. The breached data included both financial and medical information of patients. This catastrophic incident is among more than 550 others in 2019 in the U.S. alone.
The U.S. Department of Health and Human Services’ Office for Civil Rights’ breach portal studies the healthcare data breaches that affect 500 or more individuals each year. In 2019, it reported an alarming 196% increase in data breach as compared to the previous year. Also, around 13% of the U.S population’s health records were breached in 2019.
The scores of data breach incidents make one thing clear- all healthcare providers must invest significant thought and time around the safety of their patients’ data. An expert sensitive data security software can discover, secure and monitor your sensitive data. It can also accelerate compliance with the evolving data privacy regulations while effectively mitigating your data-centric risks.
Understanding Healthcare Data Security-
With the healthcare sector adopting multiple technologies at a rapid pace, healthcare providers are flooded with a hoard of patient-centric data from various data sources. Electronic Health Records (EHRs) constitute the core of any healthcare provider’s information system.
Recognizing the paramount importance around the safety of these records, the U.S government passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA mandates securing the electronic Protected Health Information (ePHI)- both when they are stored with a healthcare provider and when they are transmitted to another entity. It also defines patients’ rights over their PHI/ePHI and the limits of patient information disclosure without the patient’s consent.
Compliance with HIPAA can provide your organization protection against healthcare fraud and safeguard you against huge financial losses and negative reputation. A comprehensive enterprise Data Protection solution can also address your organization’s key HIPAA requirements, get you audit-ready and ease your risk assessments.
Implications of healthcare breaches-
Healthcare data breaches can have disastrous implications on both healthcare providers and their patients. Hackers do not just commit identity theft using the Personally Identifiable Information (PII) like Name, Address, Age, etc. available in the EHR, they also misuse the individual’s private health-centric information like their mental and physical concerns.
In 2017, Aetna- a health insurance giant fell victim to a data breach that compromised the cardiac and HIV status of over 11,000 individuals. This breach cost Aetna $17 million and the company’s hard-earned reputation. But, the patients paid an even dearer price as their medical information was suddenly exposed inflicting permanent damage.
Unlike in financial institutions where blocking the credit card can instantly render the breach less effective, an EHR breach can impose unrepairable damage on the victim’s mental and physical state. Lack of proper data security around patients’ information also paves the way for data compromise. The finance sector has long used the robust two-factor authentication system that allows client access only after they enter the One-Time Password (OTP). The absence of a similar system in the healthcare institution has made healthcare providers and patients easy prey for cybercriminals.
The consequences of the health data breach on victims are aplenty. Below are the key effects-
- Medical identity theft can give rise to improper diagnosis and treatment. The provider may even administer the wrong medication to the patient which may worsen his/her condition.
- Once the breach has been identified, there could be a delay in delivering the patient’s care until it is fixed. This may intensify the patient’s complications. A ransomware attack disabled all of Campbell County Health hospital systems in 2019 disrupting patients’ access to medical care for more than eight hours. Patients were directed to other medical institutions, the nearest one being 70 miles away.
- Victims may even be billed for services that they never opted for. In the case of a 2006 health data theft victim, the impersonator used the victim’s Social Security Number to obtain medical services from a clinic that the victim had never been a patient. The victim was billed for those services.
- In the case of a 2006 Colorado medical identity theft victim, the imposter received several surgeries in the victim’s name. The victim was struggling to pay his bills two years after the theft. The theft also cost him his business and his property.
Unlike with financial institutions where banks reimburse their customers upon a theft, victims of health data theft end up spending huge amounts of money to resolve the issue. According to a 2015 Ponemon Institute survey, 65% of victims of medical identity theft spent more than $12 billion resolving issues including medical and legal costs.
Healthcare providers also suffer significant consequences due to data breaches. Data compromise puts their reputation at stake and also amounts to huge financial losses. Healthcare providers who fall victim to data hackers lose their credibility in the eyes of their customers and invest years to gain back the trust.
How do hackers make use of the stolen data?
Medical identity theft is particularly disastrous for a number of reasons as the hacker can potentially ruin the lives of the victims in more than one way. The hacker can use the information in an EHR in some of these ways-
- An imposter can destroy the victim’s financial well-being by obtaining expensive treatments.
- Impersonators can buy expensive drugs using a legitimate medical card holder’s data and resell them for huge profits.
- Insurance firms may also fall victim to health data scams. A data hacker may split his profit with an illegitimate clinic by billing the insurance company for services that the victim never opted for.
- According to a 2019 study by a cybersecurity firm, a data thief exposes a healthcare provider’s network to hack a doctor’s identity and sells it to buyers for a huge profit. The buyer then submits claims for expensive surgeries to healthcare insurance firms.
- The study also reports that buyers can purchase forged prescriptions, fake healthcare cards, etc. for $10-$120. Hacked health insurance data can also be bought for less than $3.25. It was found that health information sells for almost thrice the cost of the standard Personally Identifiable Information (PII).
How can healthcare providers prevent a data breach?
The threat landscape in the healthcare industry is extremely diverse and complex. This condition calls for the need to ensure that the right tools and capabilities are deployed to suit the ever-evolving landscape. It is also necessary to comply with HIPAA to secure the EHRs that form the core of any healthcare entity to effectively identify and or prevent a data breach before the damage is already done.
To make your organization HIPAA-ready, you must prove how effectively you comply with the regulation. This can be achieved by deploying specific controls in accordance with the Privacy and Security rules defined under HIPAA.
A HIPAA audit assesses your organization’s ability to protect its PHI/ePHI against data compromise. As you embrace more technologies to reap their benefits, it is imperative that you also scale your protection capabilities to match your organization’s changing data landscape.
Follow these steps to achieve HIPAA compliance-
- Identify and map all HIPAA-related data across your enterprise’s data landscape
- Identify and define which business units must be allowed what amount of access to HIPAA-related data. Consider assigning minimal access for any required task
- Deploy data security methods like encryption, masking, redaction, tokenization, etc. to protect all HIPAA-related information
- Implement enterprise-wide security best practices like setting up robust firewalls and endpoint security, setting strong passwords, IoT hardening, etc.
- Always be on the alert for data breaches and malicious activities across your enterprise’s HIPAA database
HIPAA defines the Technical Security Safeguards that healthcare organizations must possess to validate their HIPAA compliance. A comprehensive enterprise data security tool that discovers, secures and monitors your PHI/ePHI data regardless of its location can help accelerate HIPAA compliance.
Below are the key HIPAA requirements that your data security tool must address to achieve compliance-
- Access Control- A covered entity must execute technical policies that limit access to ePHI to authorized personnel.
Kogni discovers all your HIPAA-related sensitive data regardless of their location. It then classifies the data under preset groups created by Kogni or custom groups created to suit your entity’s unique needs. It makes identifying the data location simple at any given point of time by adding tags to your data and mapping it across users, folders, and permission. May your PHI/ePHI be in a database, filesystem, No-SQL, Big Data or anywhere across your enterprise’s data landscape, Kogni helps you locate it in no time. Kogni also supports data in various formats like structured, semi-structured and unstructured.
Kogni monitors both data at rest and real-time data no matter where they reside and offers unified single-pane visibility to your data. It is also uniquely positioned to identify and report on your critical data that reside in Saas (Slack, Jira, Salesforce) and other hosted services.
- Audit Controls- Under HIPAA, a covered entity must deploy hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
Kogni monitors various enterprise channels such as files, folders, emails, etc. This allows entities visibility into how authorized business units interact with their HIPAA database. Our enterprise data security tool continuously monitors for deviations based on risk patterns and alerts your entity to prevent data misuse from turning into a full-blown data breach.
- Integrity Controls- To validate HIPAA compliance, a covered entity must have in place the required policies to ensure its ePHI is not improperly handled or destroyed.
Kogni helps your entity architect a robust analytics process. It tracks your HIPAA-related data’s activities like location, state, alterations it goes across your entity’s data landscape, its interaction and activities when in your cloud environments, etc. It then logs the potential threats attached to your PHI/ePHI and notifies by sending out appropriate alerts.
Kogni also offers other expert capabilities to accelerate your HIPAA compliance-
- Kogni alerts users
-when an authorized user accesses your ePHI from a different geographic location
-when they interact with a never-before-accessed HIPAA-related information
-when they log in from a system that does not have the required client-based certification or when in an unsafe network zone
- Kogni offers high precision data analytics with a number of data points to ensure the accuracy and actionability of the information.
- Kogni is built on advanced machine learning capabilities and other data mining and heuristics analytics techniques that bring down false positives to negligible numbers.
Our expert Data Security Software, Kogni, is HIPAA ready out of the box. Reach out to us at firstname.lastname@example.org if you are interested in a free demo.