Due to its sensitivity and high value, healthcare data has been heavily regulated for years through specialized legislation such as the Health Insurance Portability and Accountability Act (HIPAA). Despite this, healthcare has had the highest average total data breach cost of any industry for eleven years in a row. According to IBM and the Ponemon Institute’s Cost of a Data Breach Report 2021, it reached a staggering $9.23 million/data breach in 2021, a 29.5% increase from 2020.
Healthcare services collect a wealth of Protected Health Information (PHI) which falls under the incidence of HIPAA. PHI is information that relates to an individual’s past, present, or future physical or mental health and the provision of healthcare to an individual. It also includes personally identifiable information (PII) such as name, address, or Social Security Number that, by themselves or grouped with other identifiers, can reveal a person’s identity, medical history, or payments they have made. PII is also protected under more general data protection legislation, such as the EU’s General Data Protection Regulation (GDPR).
To ensure compliance, avoid fines and other costs associated with data breaches such as lost business and reputational damage, healthcare services need to build a comprehensive data security strategy that protects sensitive information from both external and internal threats. Let’s take a closer look at how they can achieve this.
1. Deal with internal threats
The healthcare sector struggles with a particularly high level of negligence in its employees. 27% of its breaches are due to human error, one of the highest percentages across all industries. A further 27% percent of malicious incidents also have employees as the root cause as they fall victim to phishing and social engineering attacks or attempt to steal data themselves.
This is problematic because, by law, most health data is not allowed to leave an organization’s premises without being encrypted or transmitted through secure, authorized channels. Healthcare services can turn to Data Loss Prevention (DLP) solutions to control the flow of sensitive health data in and out of their networks.
Designed to protect sensitive data directly, DLP tools use predefined profiles and customized definitions to track and control sensitive data falling under the incidence of laws such as HIPAA and GDPR across company networks. With powerful content inspection and contextual scanning tools, DLP solutions can identify health data in files and the body of emails before they are sent, blocking their transfer through unauthorized channels.
2. Restrict access to data
Another way health data can become vulnerable and exposed to theft is when it is stored locally on work computers. Employees often access, save and download sensitive data as they perform their tasks and can forget to delete these files when they are no longer needed. This poses a significant risk to data security and compliance efforts as laws such as HIPAA stress the need to limit data access to a need-to-know basis.
DLP solutions can scan for sensitive data stored locally on the entire company network, and when it is found in unauthorized locations, admins can take remediation actions such as deletion or encryption. Healthcare services can thus ensure that no employee continues to have access to sensitive data they no longer need to perform their duties.
3. Control removable devices
Although the internet is gaining traction as the data transfer method of choice, many employees still use removable devices such as USBs or external hard drives to copy large amounts of information or big files. But, these devices can easily be lost or stolen due to their size. Worst still, in recent years, USBs, in particular, have also become popular tools for malware attacks.
Healthcare services wishing to address these risks can use DLP solutions to monitor and control the use of peripheral and USB ports as well as Bluetooth connections. They can choose to block their use entirely or limit it to approved devices. In this way, healthcare services can track which employee is using which device at what time, making it easy to spot suspicious activity on the network and potential data theft. Some solutions like Endpoint Protector DLP software also offer granular policies, meaning that companies can choose to apply different levels of restrictions based on groups, departments, devices, or individuals.
To vouchsafe data security, healthcare organizations can also take an extra step and use an enforced encryption solution. In this way, they can ensure that any data copied onto a USB is automatically encrypted and access to it is restricted to those with a decryption key.
Frequently Asked Questions
Tools like Data Loss Prevention (DLP) solutions allow healthcare providers to define sensitive data and then monitor and restrict its use and transfer through network-wide policies. Some, like Endpoint Protector, even come with predefined policies for legislation like HIPAA and GDPR, ensuring that the data protected is in line with compliance needs. Through their data discovery features, DLP solutions help organizations find sensitive data wherever it is stored on the network and allow for remediation actions such as encryption or deletion when it is found in unauthorized locations.
One of the biggest threats to healthcare data security are insiders. Whether through negligence, malicious intentions, or their susceptibility to phishing and social engineering attacks, employees are the root cause of 33% of all data breaches. The potential risks of internal threats are numerous, including financial fraud, data corruption, theft of valuable information, and malware installation. These incidents can lead to data breaches that expose sensitive information such as Personally Identifiable Information (PII) or Intellectual Property (IP) and result in heavy fines. Read more about internal threats.
Health data, due to its sensitive nature, has always been considered a special category of data and invariably falls under the jurisdiction of data protection regulations. Under the EU’s new General Data Protection Regulation (GDPR), it is explicitly classed as a special category of personal data under article 9, which requires the strict application of the regulation’s requirements. In the US, health data falls under the incidence of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). These two interconnected acts together guarantee its protection.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.