Healthcare Services: 3 Ways to Ensure Data Security

Due to its sensitivity and high value, healthcare data has been heavily regulated for years through specialized legislation such as the Health Insurance Portability and Accountability Act (HIPAA). Despite this, healthcare has had the highest average total data breach cost of any industry for eleven years in a row. According to IBM and the Ponemon Institute’s Cost of a Data Breach Report 2021, it reached a staggering $9.23 million/data breach in 2021, a 29.5% increase from 2020.

Healthcare services collect a wealth of Protected Health Information (PHI) which falls under the incidence of HIPAA. PHI is information that relates to an individual’s past, present, or future physical or mental health and the provision of healthcare to an individual. It also includes personally identifiable information (PII) such as name, address, or Social Security Number that, by themselves or grouped with other identifiers, can reveal a person’s identity, medical history, or payments they have made. PII is also protected under more general data protection legislation, such as the EU’s General Data Protection Regulation (GDPR).

To ensure compliance, avoid fines and other costs associated with data breaches such as lost business and reputational damage, healthcare services need to build a comprehensive data security strategy that protects sensitive information from both external and internal threats. Let’s take a closer look at how they can achieve this.

1. Deal with internal threats

The healthcare sector struggles with a particularly high level of negligence in its employees. 27% of its breaches are due to human error, one of the highest percentages across all industries. A further 27% percent of malicious incidents also have employees as the root cause as they fall victim to phishing and social engineering attacks or attempt to steal data themselves.

This is problematic because, by law, most health data is not allowed to leave an organization’s premises without being encrypted or transmitted through secure, authorized channels. Healthcare services can turn to Data Loss Prevention (DLP) solutions to control the flow of sensitive health data in and out of their networks.

Designed to protect sensitive data directly, DLP tools use predefined profiles and customized definitions to track and control sensitive data falling under the incidence of laws such as HIPAA and GDPR across company networks. With powerful content inspection and contextual scanning tools, DLP solutions can identify health data in files and the body of emails before they are sent, blocking their transfer through unauthorized channels.

2. Restrict access to data

Another way health data can become vulnerable and exposed to theft is when it is stored locally on work computers. Employees often access, save and download sensitive data as they perform their tasks and can forget to delete these files when they are no longer needed. This poses a significant risk to data security and compliance efforts as laws such as HIPAA stress the need to limit data access to a need-to-know basis.

DLP solutions can scan for sensitive data stored locally on the entire company network, and when it is found in unauthorized locations, admins can take remediation actions such as deletion or encryption. Healthcare services can thus ensure that no employee continues to have access to sensitive data they no longer need to perform their duties.

3. Control removable devices

Although the internet is gaining traction as the data transfer method of choice, many employees still use removable devices such as USBs or external hard drives to copy large amounts of information or big files. But, these devices can easily be lost or stolen due to their size. Worst still, in recent years, USBs, in particular, have also become popular tools for malware attacks.

Healthcare services wishing to address these risks can use DLP solutions to monitor and control the use of peripheral and USB ports as well as Bluetooth connections. They can choose to block their use entirely or limit it to approved devices. In this way, healthcare services can track which employee is using which device at what time, making it easy to spot suspicious activity on the network and potential data theft. Some solutions like Endpoint Protector DLP software also offer granular policies, meaning that companies can choose to apply different levels of restrictions based on groups, departments, devices, or individuals.

To vouchsafe data security, healthcare organizations can also take an extra step and use an enforced encryption solution. In this way, they can ensure that any data copied onto a USB is automatically encrypted and access to it is restricted to those with a decryption key.