The healthcare sector is among the worst affected by data breaches on a global level. Collecting extremely sensitive – and therefore very valuable – data and storing it on at times outdated systems, healthcare institutions are often prime targets for cyberattacks.
The healthcare industry is also one of the most regulated sectors when it comes to data protection, with specialized legislation like the Health Insurance Portability and Accountability Act (HIPAA) in the US and the EU’s General Data Protection Regulation (GDPR) making the protection of health information mandatory. Noncompliance brings with it hefty penalties.
It is therefore no surprise that the healthcare sector also boasts the highest cost/data breach of any industry. According to the 2019 Cost of a Data Breach Report released by the Ponemon Institute and IBM Security, the cost per breach for healthcare institutions is $6.45 million, 65% more than the average cost of a data breach.
With these three major issues to consider, what can healthcare organizations do to ensure their data protection strategies are successful? Here are our tips!
1. Know where your data is, who is using it and how
Many healthcare institutions put all their efforts into protecting their networks against outside interference, but while this is an important part of data protection strategies, it is crucial to also focus on the sensitive information that attracts these attacks.
By protecting sensitive data directly, organizations guard not only against outside threats, but also malicious insiders and employee carelessness. First, however, healthcare institutions must know where their data is and who has access to it. Data transparency and tools that help healthcare providers closely monitor sensitive data wherever it is found are critical for an effective cybersecurity framework.
Tools like Data Loss Prevention (DLP) solutions allow healthcare providers to define sensitive data and then monitor and restrict its use and transfer through network-wide policies. Some, like Endpoint Protector, even come with predefined policies for legislation like HIPAA and GDPR, ensuring that the data protected is in line with compliance needs. DLP solutions, through their data discovery features, help organizations find sensitive data wherever it is located on the network and allow for remediation actions such as encryption or deletion when it is found on unauthorized computers.
2. Put together and test a data breach response plan
Healthcare institutions are being actively targeted and the bigger the amount of data they collect the more tempting a target they make for cyberattacks. And while a strong cybersecurity framework based on standards like the CIS Controls can prevent up to 97% of all data breaches, the sad reality is that there is no foolproof plan to prevent all data breaches. Sometimes an employee bypasses security measures out of frustration or someone with high-level access falls for a social engineering attack or a newly discovered vulnerability in software or hardware is exploited before it can be patched. These are unexpected situations that can compromise the most airtight data protection strategy.
Because there is no way of guaranteeing a healthcare organization will not be hit by a data breach, it’s important for them to have a data breach response plan in place and test it beforehand to ensure its effectiveness. In this way, employees are prepared for a security incident and know what is expected from them when one occurs.
When it comes to dealing with data breaches, speed is key, and having a well-thought-out plan in place not only helps mitigate the harm caused by a breach and comply with mandatory data breach notifications laws but also saves money. The 2019 Cost of a Data Breach Report showed that organizations that already had extensively tested incident response plans in place saved over $1.2 million when they were breached.
3. Check third parties’ security practices
Sometimes a healthcare provider can have a strong cybersecurity framework in place, but vendors they work with do not. While legislation like HIPAA and GDPR restrict how personal information can be shared with third parties, it is worth keeping in mind that companies collecting data and then passing it on to vendors for processing are still liable when a data breach occurs.
In the case of Singapore’s infamous 2018 SingHealth data breach that resulted in the theft of the personal information of 1.5 million patients, including that of the island-state’s Prime Minister Lee Hsien Loong, Singapore’s Personal Data Protection Commission (PDPC) issued a fine of $750,000 to Integrated Health Information Systems (IHiS), the technology vendor whose poor security practices lead to the breach, but also $250,000 to SingHealth as the owner of the patient database system that was compromised.
Healthcare organizations must request that vendors prove that they meet best security practices in line with their own cybersecurity frameworks to ensure that an adequate level of security is in place to protect any data that may be transferred to these third parties for data processing or as part of outsourced services.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.