DATA SECURITY IN THE HEALTHCARE INDUSTRY

When you think of data security breaches, you probably imagine elite hackers pursuing Fortune 500 companies, but the truth is that there’s a largely overlooked at-risk industry: healthcare. As cybercrime continues to grow, the healthcare industry must arm itself with the latest data security practices or risk losing itself under a wave of cyber-attacks.

The latest data has found that 90 percent of healthcare organizations have suffered data security breaches in the past two years, and 45 percent have suffered five or more breaches in that same time span. Not only are these breaches disturbingly frequent, but they’re costing the healthcare industry $6.2 billion each year. Professionals in the industry have posited that this may be caused by the high amount of private data that passes through healthcare organizations, but lackluster data security practices are also a large factor in these rampant breaches.

According to the HIPAA Journal, 2016 was a rough year for data security in the healthcare industry. Not only did millions of people have their private information stolen, but healthcare providers found themselves unequipped to deal with evolving cybersecurity threats. Here are some fast facts that highlight how dire the state of healthcare data security has become:

• Healthcare providers found themselves unable to defend against “ransomware” and lost countless files to this new and insidious form of malware.
• Accidental data breaches, which were disturbingly common, exposed (on average) three times more private files than malicious data breaches.
• The healthcare industry proved itself to be remarkably slow in reacting to breaches and equally ill-prepared to prevent them.

These numbers suggest that not only is the healthcare industry being targeted by cybercriminals due to the large amount of personal information that it holds, but because it has proven itself woefully ill-prepared to deal with data security threats. Before we can discuss how to prevent these data security breaches, however, we must first consider why this issue hasn’t been solved already. Healthcare professionals are intelligent, so why is this issue worsening instead of being resolved?

The State of Healthcare Data Security

The reason that data security is so precarious in the healthcare industry is that it faces unique problems that no other industry has to work around. In order for patients to be treated with the best care possible, information needs to travel freely between GPs and competing hospitals. The issue, of course, is that free information is rarely secure information.

This leaves healthcare providers toeing a difficult line between providing optimal care and protecting the privacy of their patients. This would be a difficult enough situation, but when competing hospitals and GPs become responsible for exchanging patient information in a timely manner, personal grudges can come forward and wreak havoc on both patient care and data security.

Say that a patient recently went to Hospital A for treatment, but has since moved to Hospital B for one reason or another. Hospital B requires the patient’s medical history to provide quality treatment, and thus it falls to Hospital A to transfer that data both efficiently and securely. The issue, however, is that Hospital A has no incentive to act efficiently. Their patient has moved to a competing hospital and, from their perspective, perhaps the burden of providing secure data transportation should fall to the patient’s newly-selected healthcare provider. Because they don’t view that patient’s security as their responsibility, they may transfer the medical data over without regard to data security and, as a result, the data may be stolen.

In the above scenario, a patient’s private information could be stolen due to a lack of cooperation among healthcare providers. Alternatively, you could assess the situation as resulting from a lack of education about data security dangers and how to prevent such disasters. Given either explanation, though, this situation was entirely avoidable with just a bit of cooperation and data security know-how.

Solving Data Security Woes in the Healthcare Industry

Just as data security is a multidimensional entity, there is no one solution that can protect against every threat. That said, this list will offer tips for the most common dangers to a healthcare provider’s data security and suggest proven solutions for your healthcare organization.

1. Cooperation Between Providers

Despite the huge data security risks that healthcare providers face, there has largely been an “every man for himself” attitude when it comes to protecting against these cyber-attacks. The problem with this attitude, from a practical standpoint, is that every type of healthcare provider is suffering data breaches. There are small, private facilities that suffer attacks just as there are huge providers like Blue Shield that have suffered attacks resulting in millions of files being stolen. Regardless of the provider, if healthcare organizations want to protect themselves against looming data security threats, then they have no choice but to band together.

Of course, the issue isn’t as simple as “stick together.” Pooling resources does nothing if they aren’t used effectively, after all. Here are some tips for how healthcare providers can share their knowledge to protect themselves from unknown attackers:

• Organize a “Healthcare Threat” feed between participating organizations, in which one provider can report a security breach so that others might be able to guard themselves against it.
• Updating security and privacy policies so they meet NIST and HIPAA standards while creating a secure and efficient protocol for sending patient information between providers.
• Participating in the Office of Civil Rights and Health and Human Services-led security forums wherein a discussion focuses on filling data security gaps and adhering to industry standards.

This isn’t an issue that will be solved overnight, but healthcare providers will prove substantially more resilient to cyber-attacks by sharing resources and looking out for each other. Of course, to tangibly improve the state of data security, healthcare providers will need to implement effective data security practices, particularly in the world of data destruction.

2. The Power of Data Destruction

Healthcare providers often rely on having cutting-edge technology to provide the best care for their patients, but this frequent replacement of hardware can create a significant gap in data security. One of the most common attack vectors for cybercriminals has been to steal patient information from improperly discarded hardware. After all, what healthcare provider is going to guard their garbage?

The key to securely decommissioning hardware lies in the effective use of a reliable data wipe. Rather than simply tossing out an old PC, for example, a healthcare provider would be well-served to thoroughly wipe that hardware before letting it leave their office. By taking this precaution, healthcare organizations can minimize their risk to suffer a data security breach and cut off one of the most common attack routes for cybercriminals.

As you might imagine, if the solution was that easy then data security breaches would have been solved long ago. The key is to use a wipe that meets both NIST and HIPAA standards, like Clarabyte’s data wipe. This solution, called ClaraWipe, meets the data security standards of the healthcare industry and can effectively wipe any system clean of sensitive information. For those still on the fence, there is a free demonstration available to let you test out this data wipe before entrusting it with your data security.

Regardless of what data wipe you employ, it’s essential that your selected solution meet HIPAA and NIST standards if you want to keep up with industry regulations. Unfortunately, this is far from the only threat to the data security of healthcare organizations. Thankfully, however, the other main attack vector can be solved in much the same way that data destruction can be mastered–through education.

3. Defeating Ransomware

If you’ll recall the findings of the HIPAA Journal, the healthcare industry has been uniquely targeted by the newest form of malware known as ransomware. This new means of data theft occurs when a user opens a suspicious file, only to be informed that their data is now sitting behind a firewall and will only be released upon payment to the cyber-attacker. This is a painfully difficult attack to suffer, which makes the best solution simply to avoid the situation entirely.

The issue that the HIPAA Journal found was that healthcare staff were overwhelmingly ignorant of ransomware’s dangers and thus didn’t think twice about opening suspicious emails. Had they been given the proper training, they may well have been able to avoid handing over money to a criminal or risk losing patient information. Moreover, you’ll want to employ the use of data backups so that, in the worst-case scenario, you can still retain patient information while you deal with this cyber-attack.

Ransomware is an ever-growing and malicious attack vector that targets healthcare providers because it knows how dearly they hold patient information. The only way that they’ll stop pursuing healthcare organizations is if they stop orchestrating successful attacks, and that starts with proper education and frequently backing up private data.

The Light at the End of the Tunnel

Things may seem bleak for the healthcare industry’s data security, but it doesn’t need to remain so. If healthcare providers can join forces and work to eradicate the gaps in their respective data security protocols, then they’ll find themselves significantly more protected than they are today. By compiling their knowledge and sharing information amongst themselves, healthcare organizations are perfectly capable of finding the light at the end of the tunnel.

Resources:

“Breach at BlueCross BlueShield business associate puts data of 3.3 million patients at risk.” Healthcare IT News. 08 Aug. 2016. Web.

“News & Updates.” Nearly 90 Percent of Healthcare Organizations Suffer Data Breaches, New Ponemon Study Shows. 12 May 2016. Web.

“Protenus Releases 2016 Healthcare Data Breach Report.” HIPAA Journal. 20 Jan. 2017. Web.