(Photo credit: Rosa Cabecinhas and Alcino Cunha.)
Criminal attacks to healthcare organizations are alarmingly high—and both the number of incidents and damage is growing. A 2015 study by Ponemon Institute revealed that over the past two years alone, 91 percent of healthcare organizations have experienced a data breach. More than a third of healthcare companies have been compromised multiple times, with 39 percent experiencing two to five data breaches and 40 percent being hit more than five times.
Breaches continue to expose sensitive patient information. Criminal attacks to the healthcare sector have risen 125 percent in the past year, says the Ponemon study. And, according to a study published in The Journal of the American Medical Association performed by Kaiser Permanente and Stanford University based on data from the U.S. Department of Health and Human Services, data security breaches exposed greater than 29 million health records to fraudsters between 2010 and 2013 alone. Most data breaches resulted from overt criminal activity. Unfortunately, the frequency and scope of these attacks will only increase.
Healthcare organizations have a lot to lose in a data security breach, yet most organizations are not adequately prepared to address new threats and don’t have proper resources to protect patient data. Despite the rising severity of criminal attacks and the potential operational, financial and reputational damage they cause to any healthcare organization, the healthcare sector’s data security is not adequate to address the current cyber threat environment.
Payer and provider organizations must wrestle with big data, contend with proliferating medical devices, provide real-time access to patient information, meet regulatory mandates and secure protected health information (PHI), all while reducing costs and gaining efficiencies wherever possible. With all these challenges, it’s difficult to know where to start and how to set priorities. Protecting data is now the number one technology imperative for healthcare organizations. However, addressing data security isn’t so simple.
Here are six ways healthcare provider and payer organizations can optimize their data security strategy:
Set data security as a first priority. The TCS Survey found that security has climbed to the top of the CIO mandate, above traditional industry mandates such as reducing cost, simplifying application portfolio complexity and building and maintaining a solid infrastructure. In fact, 90 percent of payer stakeholders and 87 percent of provider stakeholders view data security as their key IT challenge, higher than any other pressing concern about their IT portfolio. Other priorities like customer engagement efforts and reducing costs need to take a back seat to securing the organization’s most valuable asset—its data.
Be proactive rather than reactive. Following a breach, organizations typically react by implementing stronger security measures, stepping up their firewall protection, developing new protocols, improving visibility and monitoring in an attempt to prevent a future breach. However, proliferating use of devices, networks, data sharing, partnerships, applications and cloud use are only going to grow, and a reactive approach will wind up costing more and being less effective.
Rethink firewalls and perimeter security. In many instances, organizations are overspending on network and firewall security to prevent hacker entry and wind up never achieving adequate security. The explosion in mobile devices, their increased use in healthcare, the proliferation of smart medical devices, and the need for real-time access to patient information all offer new routes into the data organization.
Focus on the data elements. Concentrate on data elements instead of attempting to secure the entire environment. Understand the data and who is able to access the data elements and then put a plan in place to prevent intruders from using the data.
Consider a data masking approach. Healthcare organizations should shift security focus to the real issue: whether criminals are stealing information they can actually see and use. A data masking offers hackers a package of valueless data while ensuring providers have cost-effective and longer-term data protection. Think of it like an intruder breaking into your house and taking just unusable parts of your most valuable items.
Understand that great data security requires more than just technology. It’s essential that healthcare organizations invest in systems and measures to security the enterprise, but that’s not enough on its own. Security is about processes, policies, staffing and training—not only the systems you have in place.
Editor’s Note: Magna Hadley also contributed to this article.