[BreachExchange] Keeping Personal Health Information Secure in an Era of Cyberattacks

[Audrey McNeil]

http://wwpi.com/2016/05/19/keeping-personal-health-information-secure-in-an-era-of-cyber-attacks/

The healthcare industry faces special challenges when it comes to
safeguarding personal health information (PHI). Patients provide a wide
range of private, identifying details in relation to their medical records
that go beyond just their names and contact information. Patient records
may contain detailed demographic data like social security numbers;
sensitive information about medical conditions, medical history, and test
results to determine appropriate care; and financial or insurance
information. For these reasons, it’s incumbent on the healthcare industry
to understand the risks and compliance laws related to keeping PHI secure,
as well as to proactively research solutions to prevent and/or respond to
cyberhacks.

Healthcare professionals must be extremely careful and conscientious when
managing any personally identifiable information (PII) on behalf of
patients and customers, whether encrypting records or ensuring that others
can’t view their screens when reviewing personal data on their computer.
Healthcare professionals must vigilantly monitor the patient data entrusted
to them, taking precautions when data is entered, transmitted, and stored.

MANY POINTS OF ENTRY
Sensitive health information is not only found in formal electronic medical
records but might be housed on electronic devices, from smartphones to
iPads and laptops. Such data is also at risk of fraudulent access from
personal computers, email accounts, calendars, backup drives, servers,
shared folders, and even electronic or actual trashcans, putting the data
at risk from many directions. PHI is additionally often stored in wireless
medical devices, which can create especially challenging circumstances when
it comes to personal data protection. Many types of medical devices—from
pacemakers to devices that monitor other aspects of consumer health—have
Internet connection or will by 2020, which makes them vulnerable to hackers.

When it comes to any and all of these potential access points for PHI and
PII, the cost of carelessness can be high and the consequences widespread.
These large-scale attacks don’t just hurt the individuals and businesses
involved in the data theft; Bloomberg Business noted in 2015 that the
increase of these attacks has resulted in costs of $6 billion every year to
the entire healthcare system. The article noted that new research from the
Ponemon Institute found that “Criminal attacks against health-care
providers have more than doubled in the past five years, with the average
data breach costing a hospital $2.1 million.”

EASY MARK
Reporting in Reuters recently, Caroline Humer and Jim Finkle stated: “Your
medical information is worth 10 times more than your credit card on the
black market.” The authors continued that cyber-criminals are increasingly
targeting the healthcare sector, in part because the industry in the U.S.
is notorious for using outdated IT systems that lack current security
safeguards. This low-security environment makes the industry an easy mark
for hackers—despite the fact that national laws exist in the United States
that are designed to protect personal health data—most importantly the
Health Insurance Portability and Accountability Act (HIPAA). HIPAA created
industrywide standards about privacy and confidentiality when it comes to
managing and sharing PHI and mandates steep fines for noncompliance, yet
still violations occur. A recent HIPAA study revealed that 80 percent of
organizations surveyed thought they were fully compliant with HIPAA
regulations, yet the majority were significantly off the mark.

One of the largest and most pernicious cyber-attacks to date occurred in
2014, when Community Health Systems had private data relating to 4.5
million patients stolen. Losing this amount of valuable private medical
records from a major institution not surprisingly shook up the industry,
and brought new awareness to the importance of protecting health data
across the healthcare service continuum. Yet that awareness was not enough
to prevent further news from being made in this arena just a few months
later, when Anthem Inc.—the nation’s second-largest health insurance
company—fell victim to a similar fate. That unprecedented cyber-hack began
two months before it was discovered at the start of 2015, and led to the
breach of sensitive personal and medical data for approximately 80 million
people.

It’s not only patient data that’s at risk within these organizations, but
also data relating to doctors, hospital employees, insurance providers, and
other customers. Healthcare providers need to be aware of the fact that not
only can they face exorbitant fines for failing to secure patient data, but
they can also put the entire organization at risk of losing public trust,
and in some cases folding completely.

What Can Organizations Do to Protect PHI?
With the volume of personal health data on the rise and the number of
potential data storage locations multiplying, the risk for cyber-hacks on
healthcare institutions grows. In this environment, it’s no easy task for
healthcare companies to ensure that the patient data entrusted to them
stays secure and that they remain compliant with HIPAA and other laws,
including the Health Information Technology for Economic and Clinical
Health (HITECH) Act, which levels fines for misuse of electronic health
records. IT administrators must not only deal with the ever-expanding
number of potential storage locations for personal health data, but also
need to find ways to address confusing situations where PHI is housed with
different types of unregulated data.

Fortunately, there are steps that forward-thinking companies can take to
help protect patient data and the reputation of their own
organization—particularly technology solutions such as new data loss
prevention (DLP) software based on machine learning. Such software can
offer organizations a range of benefits, including greater accuracy,
awareness, flexibility, and protection. Let’s talk a bit more about these
benefits and what companies can do to achieve them:

- Improving accuracy of identifying high-risk content.A first step toward
protecting PHI and PII is being able to determine which information
contains sensitive content. To achieve this, companies have commonly used
expression-based searches, which match data to known patterns—yet this type
of search has significant limitations based on the quality of the search
pattern. Instead, organizations can now use a newer, more sophisticated
technique: DLP software that relies on machine learning. While most DLP is
not based on machine learning, this new technology provides more accurate
detection by constantly adapting to and learning a specific organization’s
data, taxonomy, and usage patterns. Unlike standard DLP approaches (which
also play an important role), this new machine-learning based software
analyzes data context and makes adjustments accordingly, which makes
tailored searches for such information more reliable and actionable.
Because of these distinctions, machine learning-based DLP solutions deliver
superior results to standard DLP, as they remain adaptive to ongoing and
morphing threats.

- Increasing awareness of data variance.The healthcare industry has many
variables and potential miscues, including misdiagnosis that can lead to
the failure of older software solutions. If a system can’t tell the
difference between true and false information and lacks a high level of
contextual awareness when it comes to evaluating content, it won’t deliver
the needed results. Newer DLP software that relies on machine learning is
equipped to recognize subtle distinctions in data, which helps to avoid
system failings.

- Boosting flexibility and real-time file analysis.Today’s machine
learning-based DLP software offers security and governance throughout the
enterprise. This flexible, comprehensive approach to content detection and
classification helps administrators rest assured that users follow the
right procedures. These newer DLP solutions also use machine learning to
provide real-time file analysis to ensure that once data is created or
altered, it gets assessed immediately.

- Delivering data protection.Downtime can be costly for the healthcare
industry and can be avoided by an advanced machine learning-based DLP
solution that allows administrators to bypass configuration processes –
i.e., avoid the need for the initial configuration process, not bypass
security. Such solutions can also offer extremely fast and automatic
detection of PHI when it’s added to SharePoint. When the software detects
sensitive content, it can prevent it from being uploaded until designated
content reviewers have been able to review and approve it.

There is no easy road to keeping patient health data secure, and companies
seeking a quick fix may find themselves regretting it. The key for the
healthcare industry is not only to be aware of the compliance laws
regarding PHI, but to take meaningful action to protect it. A software
solution for data loss protection based on machine learning can improve
detection accuracy, increase awareness of variables, and boost flexibility
to deliver the level of protection that’s required in today’s challenging
business environment. This new wave of DLP software can also help
organizations become more vigilant through 24/7 monitoring, reinforcing
security and locking down the protection of personal health data in any
workplace.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160519/e1f63350/attachment.html>