With the rapid adoption of digital transformation across all industries, data security must be considered a priority, especially in healthcare. This year, we have witnessed mass adaptation to remote working, increased dependence on cloud computing and services, and an advance in the use of telehealth. This has been both a positive and a negative development. Due to growth in online connected devices and technologies, cyberattacks have been at an all-time high, with hackers targeting the healthcare industry in particular due to the persistent value of medical data, which unlike financial data is not perishable.
Hospitals and healthcare providers alike have been continuously hit by cyber incidents in the past year, which in some cases have proven how unprepared many of these organisations are in dealing with serious cyber-attacks. As a result, the healthcare industry has had to adapt to new and more stringent security measures to ensure enhanced protection of sensitive patient data.
Why the healthcare industry needs data security
The value of data continues to grow, with it recently being dubbed the ‘new gold.’ Personal health information has inordinate value due to its substantial biographical detail. With society rapidly adapting to digitalisation, involving a completely digital way of transacting business, the healthcare industry is simply struggling to keep up. Securing the vast amounts of personally identifiable information (PII) and personal health information (PHI) is a challenge, and considering that cyber-attackers increasingly single out the healthcare industry it is more important than ever to keep such valuable data safe.
This need became especially evident after the ransomware attack on Magellan Health. Threat actors exfiltrated copious amounts of data and held it for ransom, including names, contact information, employee ID numbers, and W-2 or 1099 information containing Social Security numbers and taxpayer identification numbers. The hackers gained access through a social engineering phishing scheme, in which they impersonated a Magellan client and subsequently deployed malware to steal login credentials and passwords. These kinds of attacks on the healthcare industry can have long term impacts not only on the organisations themselves by delaying medical services, but also on the individuals (their customers) affected in the process. Data security is crucial in all industries and across all sectors; however, the value of personal health information makes it all the more critical to protect.
Data security and classification
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates a national standard for protecting vital, personal health information. Under this act, patient information must be secure, accessible only by patient-authorised persons and used only for patient-authorised purposes, although it is up to each individual entity to determine what security measures to implement to comply. Due to the fast-paced nature of the healthcare sector, many organisations struggle to keep up with the complex challenge of securing patients’ personally identifiable information (PII) and protected health information (PHI). Consequently, the healthcare sector has become easy prey for cybercriminals.
Nevertheless, the past year has been a wake-up call for healthcare providers, hospitals, and insurers to ramp up their security measures. Stricter data security protocols must and will be put in place along with enhanced security cultures, to make sure patient data remains secure and not vulnerable to a breach. This is where data security and classification go hand-in-hand to support the industry in improving its cyber-safety measures. Data classification aids organisations in managing their data. It informs how they discover and mitigate risk and manage data governance policies. Not only is it necessary for modern data privacy regulation compliance, but it also allows organisations to discover any personally identifiable information on data stores and implement appropriate measures to properly govern and secure it.
Protecting data best practices for healthcare providers
Healthcare organisations are largely unprepared to protect their patient data against the evolving landscape of security threats. Despite it being almost impossible to fully secure an organisation against attacks, we can point to several best practices that all healthcare organisations would be well advised to follow:
- Educate staff: organisations should prioritise proper cybersecurity training for all healthcare staff. Human error is one of the largest threats to the security of any organisation, and any mistake or negligence can have disastrous and pricey consequences. Staff should undergo extensive security awareness training to equip them with the knowledge to make the right decisions and proceed with the utmost caution when handling patient data. This is what we mean by instilling a culture of data security and privacy within your organisation.
- Encrypt data: All data should be encrypted, whether it is at rest or in transit. This makes it almost impossible for hackers to decipher any vital information, even if they manage to surpass prior security barriers. This is not required under HIPAA, though it is more than advisable to provide strong data-centric security for valuable information.
- Conduct regular risk assessments: Proactive prevention is the best step toward securing data. Doing so allows organisations to identify any vulnerabilities or weak points in their security posture, and any shortcomings in employee education along with inadequacies in the security posture of vendors or business associates. Risk assessments can help healthcare providers avoid any data breaches and other negative repercussions by identifying any suspicious behaviour before it has a chance to turn malicious.
- Data backup to offsite location: Offsite data backup provides another safeguard in the event of a breach. Along with data encryption it is one of the best and most effective ways to keep data secure, and is essential for disaster recovery.
Understandably, the healthcare industry is under immense strain given global circumstances, and to make matters worse, they are extremely vulnerable to cyberattacks. Therefore, prioritising data security is a must to avoid data theft. Sensitive information should remain confidential, and with the world shifting ever more rapidly into the digital space, it is vital to have the correct measures in place to comply with data privacy regulations.
Article by Trevor J. Morgan, Product Manager at Comforte AG
