Last week, the Department of Justice announced the takedown of 300 criminals responsible for $900 million in fraudulent healthcare billings— the largest in history. And one of the charges leveled against the defendants, aggravated identity theft, points to the root cause of the problem — healthcare identity information stolen in data breaches or by insider fraud.
On the cyber black market, a single stolen healthcare record is worth $50, more than 10 times the value of a Social Security Number ($0.43), making the healthcare system a far more lucrative target for fraud.
It's a small wonder then that as healthcare organizations race to digitize information and patient processes, they've become prime targets for hackers and even malevolent insiders. According to a March NPR report, Has Healthcare Hacking Become an Epidemic?, the healthcare industry averaged close to four data breaches per week in early 2016.
Healthcare providers aren't alone. A survey by Crown Records Management found that more than two thirds of pharmaceutical companies admitted they had been hacked. Aside from securing patient databases, hospitals, laboratories, specialists, insurance companies, HR organizations and research institutions must routinely exchange files containing electronic protected healthcare information (ePHI), financial and insurance details, clinical trial data or other sensitive information. Whether shared internally or externally, all of this data can be subject to theft.
The 2015 State of File Collaboration Security report by Enterprise Management Associates (EMA) shows that IT and infosec professionals in mid-tier organizations are concerned with these very issues. Seventy-five percent of survey participants expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access. Fully half said there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential or regulated information in their organization. A whopping 84 percent had either a moderate or total lack of confidence in their organization's file security monitoring, reporting and policy enforcement capabilities.
Lifecycle File Protection
Like their peers in other industries, healthcare and life sciences organizations find collaboration is risky but necessary. Much of the collaboration problem lies in inadequate controls after files cross the firewall where internal content management, DLP and other point solutions no longer apply.
Sure, files can be exchanged securely with other providers or business partners, but what prevents that recipient from inappropriately forwarding the file, making unauthorized changes, storing the file via an insecure local or cloud file sharing service or leaving it on a laptop that gets lost or stolen? Even internally, sensitive files are often accessed or shared where they may end up in the wrong hands.
That's why many healthcare and pharmaceutical organizations have taken advantage of emerging file security solutions to reduce these data leakage risks by addressing this gap with strong file encryption and usage controls that, once applied, persist for the life of the file, including after it traverses to various networks, recipients and devices.
Past information rights management (IRM) solutions were costly, often tied to specific applications or required specific infrastructure to function, and were cumbersome for IT and departmental users alike to use and manage. While these IRMs worked internally, they were especially challenging to enforce on users outside the organization. The best of a class of newer solutions, such as FinalCode, offers greater flexibility and usability for internal and external application, while striking a balance between IT's need for governance and the user's need for convenience. They support conventional file sharing mechanisms, such as email and network shares, as well as new cloud and mobile based applications.
These solutions enable very granular controls over who can access files, under what conditions and what they can do with them. Users can easily apply required controls on file viewing, editing, saving, printing and watermarking that persist for the life of the file. More so, the file owner can change the file security policy dynamically and even remotely delete files after they have been shared. These security policy controls are enforced wherever the file goes and every time the sensitive file is opened.
This new class of file collaboration security platforms also tracks and stores file activity, including applied controls, access attempts, policy violations and actual recipient usage, ensuring the organization meets regulatory compliance and, if needed, has the data for successful forensic investigations. Since the best solutions apply strong AES-256 encryption, they meet HIPAA and HITECH's safe harbor exemption for information "rendered unusable, unreadable or indecipherable."
These solutions are easy for IT security teams to implement and integrate with existing applications and workflows, separating file security functions from file storage, transport and content management. Department heads can preserve user productivity, and workflows will not be impacted. And users are ready to do their part, as 70 percent of EMA respondents answered that end users would invoke stronger security controls if empowered.
In the C-suite, executives will most appreciate that the enterprise is achieving reduced reputation and threat of IP exfiltration risks, and improved compliance with HIPAA, HITECH and other regulatory requirements.
Collaborative File Security That's Easy and Cost-effective
The beauty of this approach is that if any collaborator decides to share the file to an unauthorized user, mishandles it accidently or has it stolen, solutions like FinalCode can deny access and log the attempt. Departmental users can even apply time and file open limits and delete files on users' systems long after they have been sent. These platforms can be quickly installed as needed, by department, project or enterprise-wide, and more so, can be easily used by external prospects, partners and contractors.
Many solutions are compatible with popular operating systems, applications, devices and consumer cloud services, including DropBox and Box, and multiple file formats such as Microsoft and Adobe so they don't hamper the fast, flexible collaboration and convenience that help keep patients healthy and get new medical breakthroughs to market fast.
So why worry about exposing patient healthcare identities, privacy and compliance to the risks of misuse or data breaches when you share files? With today's file collaboration security solutions, you can protect sensitive files and healthcare identities throughout their travels.
Bio
Scott Gordon, COO at FinalCode, Inc., is an accomplished leader who has helped evolve security and risk assessment technologies at both innovative startups and large organizations. An infosec authority, speaker and writer, he is the author of Operationalizing Information Security and the contributing author of the Definitive Guide to Next-Gen NAC. Scott holds CISSP-ISSMP certification.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.