Healthcare organizations are being targeted from every angle – the numbers are there to prove it.
According to a recent study conducted by KPMG, almost half (47 percent) of IT healthcare executives have been victim of a data breach or violated HIPAA laws at their organization. And what may be even more troubling, only 35 percent of IT healthcare executives say they are prepared to offset a security threat.
Unfortunately, despite the fact that healthcare organizations are a top target for hackers, healthcare organizations are still woefully unprepared to handle the growing number of sophisticated attacks. The Department of Health and Human Services agrees, and in a report to Congress just this year, it took a bold stance: “healthcare cybersecurity is in critical condition.”
The missing piece of the puzzle
Even with all the security tools on the market, it is impossible to say that there is no way an organization can be breached. Threats continuously evolve, the number of endpoints within an organization continue to rise, and more and more information is shared beyond the traditional organization perimeter.
Traditionally, healthcare organizations have focused on protecting information within the confines of the organization itself. The security software investments have been to protect the network, the devices, the applications and the perimeter. The challenge is that data is moving between these various ‘walls’ and often beyond the perimeter. To ensure true end-to-end security, it is essential that organizations start looking beyond the traditional ‘perimeter’ and start take a data-centric approach to security.
Collaboration should be encouraged, but also protected
In order to properly do their job, healthcare organizations must share sensitive files with different departments, as well as insurance companies, third-party vendors and partners. However, once data leaves the virtual perimeter of an organization, they are taking a “hope and pray” approach. They must simply trust that the partner organization takes cybersecurity as seriously as they do. In fact, a 2016 survey released by the Ponemon Institute notes that 60 percent of participants didn’t check the security and privacy practices their third-party vendors may or may not adhere to.
Now, if the data itself, not just the perimeter is protected, an organization has a lot more control over what happens to it once it leaves the network. An Enterprise Digital Rights Management (EDRM) solution allows organizations to attach persistent, granular usage controls to any type of file as it is shared with collaborators, both within and outside of the facilities perimeter. EDRM solutions ‘wrap’ files with specific usage controls that travel with files wherever they go. Specifically, EDRM can control: who can access the file, what they can do with the file (view, edit, copy, print, screen share, run macros), where they can access the file (by device or IP address) and when they can access the file. These controls can also be revoked or modified at any time from any location, even with previously shared information.
Another factor to take into consideration are the federal guidelines and standards put in place to ensure patient data is adequately protected. Regardless of where data resides, personally identifiable information is subject to regulations such as PCI-DSS, GDPR, and HIPAA. By persistently protecting the data, risks of loss are removed and all usage information is tracked for real-time audit trails to meet compliance regulations.
Need more proof that data-centric security is necessary?
In July 2017, Anthem Health Insurance reported yet another data breach. This time 18,500 members had their health records sent to a private email address of a staffer at a third-party vendor. On top of this, the breach was caused by an insider threat. This highlights how data is becoming the new perimeter and IT departments need to focus on securing the actual information as it is in use and being shared. If an EDRM solution was in place, Anthem could have either set controls on which location/IP address could receive the information and immediately seen who tried to access the document.
Given that working with third-party vendors can’t (and shouldn’t) be avoided and that it’s virtually impossible to protect apps, devices and networks from every attack, implementing a data-centric security solution can protect sensitive information, even when traditional security measures fail.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.