The Move Towards Data Analytics Is A Security Problem

By Suni Munshani, CEO, Protegrity

2015 marked a significant and alarming year for the healthcare industry. Verizon’s 2015 Protected Health Information (PHI) Data Breach report confirmed 90 percent of industries have experienced patient data breaches and that jeopardized PHI has reached more than 392 million records, totaling 1,931 incidents across 25 countries.

Providers and regulatory bodies are more than aware of this problem, which has spurred updates to HIPAA and HITECH regulations. But as many in the industry understand, compliance is no longer enough and the need to change how data is secured is imperative. With data breaches becoming a common occurrence and patient information still at risk, here is a look at the current data security landscape and how to implement comprehensive, scalable, and long-term solutions to fix it.

The Evolving Cyber Security Landscape

In the past decade, healthcare has experienced a substantial shift as increased use of data and IT systems resulted in a massive amount of stored information. This, combined with advancements in mobile and cloud and the rise of big data analytics, means traditional data security alone is no longer enough to protect healthcare organizations.

To add motivation, it is even reported that healthcare data is worth up to 50 times more than credit card data. Healthcare companies must evaluate their strengths and weaknesses in order to best guard their assets from hackers who are trying harder than ever to gain access to medical data.

Two specific weak points in the current healthcare system lie in the scope of systems and usability:

• Usability Concerns
  Think of a traditional wellness engagement — the patient gives personal information upon check-in, the doctors perform tests, technicians report lab findings, nurses often follow up on treatment plans and caregivers can confirm information on digital patient portals. Each step in the process requires all of the right information to be accessible to the right user, internal and external. Organizations must implement solutions that are flexible yet robust enough to ensure the information stays accessible yet secure.
• Extended Networks And Scope Of Systems
  In order for providers, payers, and patients to access the relevant information, data may live beyond the traditional network such as through transferred EHRs and mobile applications. Aware of this fact, hackers are also varying their attacks to target these new and vulnerable channels. Organizations, especially large and distributed healthcare organizations, are tasked with implementing a strategic approach that not only protects the systems in which the data lives on, but the data itself.

Changes to Implement Today
There are four immediate changes healthcare companies should consider today that can lead to immediate results. While a long-term strategy is needed, and discussed in the next section, these four are easily implemented with today’s resources.

• Due Diligence
  All organizations guarding sensitive data have several security systems that together serve to mitigate the large threat surface that healthcare brings. Make sure to go in depth with each one and verify that online applications are secure and free of the most common attacks.
• Continuous Monitoring
  Once all systems are cleared, make sure to continue regular monitoring for normal network activity and implement an alert strategy for when abnormal behavior occurs.
• Training for All
  One large threat that companies often overlook is their employees themselves. Frequently an accident, employees can make mistakes that the proper training and prevent. It will guarantee that everyone understands the protocols for data sharing and password protection.
• Restricting Access
  While training can eliminate accidental data sharing, limiting the number of people with access to data can reduce the chances of purposeful distribution. In the same vein, Least Privilege Rules can also limit the types of information that are hacked and ensure that users only see the information that is absolutely necessary.

Long Term Security Considerations

Perform an honest assessment of the current security systems in place and point out where the weaknesses lie. In addition, take a look at past health care breaches and run simulations to see if your organization is prepared for a similar situation. Some of the common systems to examine include EMR databases, payment processing systems and HR programs. Modern technologies like encryption and tokenization can also help by de-identifying sensitive data and rendering any stolen data useless.

With the amount of managed information only set to increase, healthcare organizations must start improving their security tactics in order to maintain peace of mind and avoid the costly repercussions of a breach. This requires a duel effort by meeting regulatory and legal compliance while proactively seeking new solutions that protect against the advancing threats of today’s digital environment.

About The Author
Suni Munshani joined Protegrity as CEO in May of 2011 to accelerate growth and execute strategies to extend Protegrity’s leadership position in the enterprise data security market. He brings more than 25 years of broad and diverse global business experience, having previously served as CEO of Novitaz, a customized data provider for the retail and hospitality sectors. Prior to Novitaz, he served as a managing partner at Persephone Investments, a venture capital firm focused on early stage investments, where he led the firm’s investment in Synetics, Inc. and eventually assumed the role of CEO and led Synetics’ acquisition to Affiliated Computer Services, a NASDAQ listed company (later acquired by Lockheed Martin.)