Health information is among the most sensitive categories of data. Collected in high volume and stored in systems that are often vulnerable, health data has become an attractive target for malicious outsiders. The rise in attacks has led to a string of high-profile data breaches the world over, with healthcare companies bearing the reputational, legal and financial consequences in their aftermath.
The healthcare sector reported the highest cost per data breach of any industry in 2019. According to the Ponemon Institute and IBM Security’s Cost of a Data Breach Report, the cost of a data breach for healthcare institutions was approximately $6.45 million, 65% more than the average cost per breach. The long-term impact of data breaches means that companies continue to pay for them years after they took place, with highly regulated industries such as healthcare seeing high costs continue even three years after a data breach has occurred.
It is therefore in the interest of healthcare organizations to protect their data and avoid the disastrous consequences of a data breach. But what are the key data security concerns they face and how can they address them? Let’s take a closer look!
One of the biggest contributors to data breaches are employees themselves. Whether it’s carelessness on their part as they work with sensitive data or their susceptibility to phishing or social engineering attacks, insiders often pose the highest risk to personal information. It is therefore essential that employees receive adequate training that educates them on the best practices of handling sensitive data and the importance, both regulatory and reputational, of following them.
Training is especially effective when it comes to outsider threats that target individuals through infected attachments, links to malicious websites, or seemingly legitimate requests for sensitive information. Employees are often unaware of the existence of such practices and, once informed, are vigilant about them, reducing their chances of being tricked into sharing sensitive data or infecting their work devices or the company network.
When it comes to human error, however, training is less effective as it implies an unconscious mistake made by an employee. This means it can happen to anyone, regardless of how well-informed they are on the dangers of data breaches. Employees feeling the pressure of a deadline or who are simply feeling tired or unwell, can easily send an email to the wrong person or publish a document publicly.
In these sorts of cases, solutions like Data Loss Prevention (DLP) tools can support healthcare companies to keep sensitive data secure. Through predefined policies, they can monitor and control the transfer of sensitive data to ensure it is not sent through unauthorized channels such as messaging apps, third-party file transfer websites, or cloud services.
DLP solutions, through their sensitive data monitoring options, can also help healthcare providers identify which employee practices need to be corrected, supporting them in building effective training that addresses real-world situations employees face.
Data Protection Legislation
Specialized legislation such as the Health Insurance Portability and Accountability Act (HIPAA) in the US and the General Data Protection Regulation (GDPR) in the EU makes the protection of health information mandatory by law and puts the burden of responsibility squarely on organizations’ shoulders. Noncompliance comes with significant fines. For example, depending on the level of perceived negligence at the time of a HIPAA violation, a healthcare company can be required to pay as much as $1.5 million per year for each violation.
Compliance is, therefore, a key concern for many healthcare companies. They must research which legislation applies to them and the requirements that they are obligated to follow. Auditing is an essential part of any compliance efforts as are data discovery tools.
Organizations must, first of all, find out what data they are collecting falls under the incidence of laws such as HIPAA, where it is being stored on their network, and how it is being used by their employees. This can easily be done through DLP tools that come with predefined policies for legislation such as HIPAA or GDPR. By using them, companies do not have to go through the trouble of defining what sensitive data means in the context of such laws but can use policies already verified for compliance use.
Data Breach Response
No data protection strategy is foolproof. Even the strictest policies can sometimes prove insufficient. For example, when a new system vulnerability is exploited before it’s patched or an employee is targeted by a very convincing social engineering attack. For these possibilities, no matter how small, healthcare companies must be prepared to deal with a data breach.
This can be done through a data breach response plan. By preparing for the eventuality of a data breach, when a security incident occurs, employees will already know what is expected of them and how they can best mitigate its consequences which leads to quick reaction times that are critical when it comes to dealing with a data breach.
A data breach response plan also helps companies save money. According to the 2019 Cost of a Data Breach Report, organizations that already had an incident response team in place and extensively tested their data breach response plan saved over $1.2 million when they were breached.
Third-Party Security Practices
Many healthcare companies work with contractors and while they themselves might have strong data protection strategies in place, these third parties may not. Legislation like HIPAA and GDPR restrict how personal information can be shared with third parties, with organizations collecting the data still liable in the face of the law in case a data breach occurs. This means that, should a vendor suffer a data breach, fines would be issued not only to the party responsible for it but also the data controller who had an obligation to protect the data it collected.
Healthcare companies must therefore verify that any contractors they work with have data protection policies in place that align with their own cybersecurity strategies, ensuring a satisfactory level of protection for any data that would be transferred to them.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.