How To Prevent Small, Simple Mistakes From Turning Into Big Problems

By Mark Bower, Egress

Another day, another healthcare data breach. According to a recent study, more than 11.5 million healthcare records were breached in 2018. While the industry continues to focus on external attackers looking to infiltrate networks and steal information, in reality, one of the biggest threats healthcare organizations face are accidental data breaches.

Yet even simple mistakes like misaddressed emails can turn into massive breaches and HIPAA compliance nightmare scenarios.

The Risk Of Collaboration In Healthcare Environments

Healthcare is a high-risk (and therefor highly regulated) industry, with organizations needing to comply with a long list of regulations aimed at keeping data safe.

Many health organizations use data platforms and electronic health records (EHR) with built-in controls to digitize and secure patient information, which forms a crucial aspect of compliance. However, security challenges arise when organizations are required to share patient information outside of the EHR; for example, when specialist organizations need to share information with third parties for analysis or advice. Often, organizations put in workarounds to share that data, such as sending physical USB drives in the mail to collaborate and provide joint healthcare.

Not only does this open these organizations up to risk on both ends (sender and recipient), but breaking security regulations also can result in substantial fines. As such, it is vital healthcare organizations have a seamless and secure way to share and protect data throughout its life cycle.

Human Error Can Easily Violate Security Regulations

Mistakes happen, but when it comes to PHI, exposing sensitive data isn’t an option.

With email increasingly being used to transfer sensitive data, one big problem is the risk of misdirected emails. Outlook or Gmail offer nice automation features with autocomplete recommendations, but these can notoriously end up with the sender picking the wrong email address. When this happens, content is inadvertently sent to another recipient and automation has failed them.

In fact, a recent Egress survey looking at accidental data breaches found email to be the most common way that employees accidentally expose sensitive data. Based on our analysis, here are the most common email accidents that lead to data breaches:

• Accidental sharing/wrong email address (the Outlook auto-insert problem)
• Email forwarding of sensitive data
• Sharing attachments with hidden content
• Forwarding data to personal email accounts

While healthcare organizations try to prevent these mistakes through training, experience shows the knowledge gained only usually lasts a few weeks before someone goes back to old habits and reintroduces risk.

Encryption Is The Answer – Or Is It?

Some may understand the dangers of accidently sending sensitive data to the wrong recipient and recommend encryption so only authorized parties can access it. This makes perfect sense in theory but often falls down in practice.

The recent Egress Data Privacy Survey found that a large majority of organizations fail to encrypt data before it’s shared – both internally and externally. Respondents indicate:

• 79 percent of organizations share PII/sensitive business data internally without encryption
• 64 percent of organizations share PII/sensitive business data externally without encryption

What healthcare organizations need to think about is detecting these mistakes before they happen. Typically, outbound email security tools that encrypt content rely on static DLP rules or user actions. However, when data loss prevention (DLP) rules aren’t updated frequently, major risk can still be introduced.

How AI And Machine Learning Can Help

Many organizations are turning to AI and machine learning (ML) to understand user behavior, measure their activity, and offer solutions to protect both PII/PHI and the organizations responsible for it.

For example, AI and ML can help in identifying patterns and detecting anomalies, such as when an autocompleted email address has been wrongly inserted. This is impactful because it engages with users in real-time in a helpful way, guiding them to avoid similar mistakes in the future.

These technologies also can be used to provide risk context at the time of a data exchange. This helps prevent over or under-encryption to ensure sensitive information is protected at a level relative to the actual risk of a data breach. ‘Right sizing’ encryption in this way helps ensure the solution will be embraced by employees, who often resist anything that creates friction in their day-to-day lives.

Moving Forward

In summary, AI and ML can be help healthcare organizations achieve the following data security goals:

• Avoid the risk of misdirected emails
• Apply an appropriate level of encryption to content
• Use analytics to drive the detection of mistakes
• Educate people while they’re handling data by providing real-time feedback so they can avoid mistakes and work efficiently

Healthcare organizations must adopt tech that wraps users in smart data protection best practices if they want to prevent small, avoidable mistakes that can lead to Big Data breaches.

About The Author

Mark Bower is CRO & GM of Egress.