[BreachExchange] Can we end the healthcare data breach pandemic?

Mon Apr 2 20:24:11 EDT 2018

http://www.healthcareglobal.com/technology/can-we-end-
healthcare-data-breach-pandemic

The Healthcare industry is facing rates of cybercrime at a pandemic level.
In fact, healthcare breaches accounted for 43% of all reported breaches
between 2014 and 2016. The digitisation of healthcare records amidst a
changing cybersecurity landscape has broadened healthcare organisations’
exposure points, and as demand for data sharing between healthcare
organisations increases, so does the risk of a data breach and
non-compliance with patient data protection regulations.

This past year has been a massive one for healthcare data breaches in the
UK. The National Health Service (NHS) has faced ransomware attacks and most
notably, a major data breach that exposed the medical records of 26mn
patients.

How did this happen?

Due to a lack of control and oversight, doctors were able to change a
setting in the IT system to make patient records shareable across different
healthcare organisations – ultimately exposing the records to thousands of
workers across the country.

With this breach, we saw practitioners, the UK government and citizens jump
into crisis mode. What was the cause of this breach? In large part, a
failure to properly govern identities and their access to sensitive patient
data.

What makes this an interesting case for identity is that it wasn’t
malicious. Doctors aren’t IT professionals. Their job is to make sure
patient care is delivered accurately and in a timely manner across
different care providers. Making patient records accessible to the hospital
or the specialists that doctors are sending their patients to seems like a
reasonable way to expedite care, save time and provide good service to
patients. But without proper governance, it quickly became a massive
exposure point that was ultimately exploited and impactful to millions.

As this real-world example illustrates, sensitive data often gets exposed
through legitimate users doing their jobs on a daily basis without
realising they’re exposing their organisations to risk. And it could very
easily happen again.

For example, a clinician conducting a research study may copy and paste
medication administration from the Electronic Health Records (EHR) system
into an application such as Word, PowerPoint or Excel for sharing. Or a
provider organisation’s Health Information Management department may run a
real-time operational report for auditing purposes, and later save this
report to a network drive for future reference. Both of these actions,
while helpful to the employees conducting them, also result in taking
sensitive data outside of protected systems, ultimately creating additional
exposure points for the organisation.

This data problem is not unique to healthcare organisations. It’s a common
challenge that many organisations are trying to overcome, given that an
estimated 80% of all data is stored in files. Organisations need an
effective and efficient approach to mitigating the risk of exposing
sensitive data to unauthorised individuals or groups—some of whom may have
questionable or even malicious intent.

Is there a proverbial vaccine for this widespread issue that affects
virtually everyone on both the patient and care-provider sides? It’s not
that simple, but the good news is that the healthcare industry can learn
from other highly regulated industries how to better address this challenge.

Implementing a robust identity governance program can help. Identity
governance allows organisations to answer the question of who has access to
what and what they’re doing with that access, addressing an organisation’s
exposure points to reduce the risk of a data breach and mitigating the
amount of damage hackers can do if an organisation is breached. This also
allows IT and healthcare providers to be more efficient and focus on their
respective roles without putting their organisations at risk.

When it comes to healthcare, the stakes are high. Healthcare records are
valuable to hackers and cost a lot in compliance fees when exposed, not to
mention the reputational damage. Organisations need the right tools to make
sure access to sensitive data is granted and controlled appropriately,
especially as this data is increasingly found outside of IT’s purview. This
is where identity comes in. With identity governance, healthcare
organisations are empowered to deliver care while knowing their patient
data is secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180402/e9b5d832/attachment.html>