Healthcare Breaches & Why DLP is Part of the Cure



The "Year of the Healthcare Breach" highlighted a serious data protection problem in the healthcare industry, but data loss prevention may be a big part of the answer.

2015 was tipped by many security experts to be the year of the healthcare breach. As the year comes to a close, most would say it has lived up to these expectations, with a myriad of healthcare organizations suffering damaging breaches in 2015. Breaches at Anthem and Premera lost the largest amounts of precious patient information, but the year also featured a steady stream of smaller healthcare data loss events, often followed by HIPAA fines, such as those at Systema, Medical Informatics Engineering, Lahey Medical Center, and St. Elizabeth’s Medical Center.

Attacks on healthcare organizations have been increasing steadily over the past few years, and if 2015 is any indication, that trend does not seem to be slowing down. A recent report from Accenture predicts that healthcare cyberattacks could cause more than $300 billion in damages over the next five years. Because of this, it is essential that healthcare providers – from hospitals to insurers to technology vendors – have appropriate security measures to protect patient data. A trend that has put increased importance on this is the migration of many healthcare firms to cloud-based systems – a move that is motivated by the convenience and scalability of cloud as well as government incentives for “meaningful use” of EHR technology.

Why is the Cloud Valuable to Healthcare Organizations?

The cost and scalability benefits of the cloud are particularly substantial for many healthcare organizations which may typically have limited IT resources. With appropriate security, the cloud may further enable more efficient and productive sharing of patient data between multiple care providers, their associates and the patients themselves. However, concerns over the loss of visibility of and control over data in the cloud have remained barriers to many organizations seeking these benefits. Healthcare IT professionals may ask “how can we protect sensitive data that resides outside or our IT environment?”

What are the Requirements to Protect Patient Information?

The importance of managing patient medical information is dictated in the United States by Federal HIPAA/HITECH regulations familiar to all healthcare organizations. Among other things, these regulations require that organizations must know where patient data is stored or sent – whether encrypted or not. In other words, encryption alone is not enough to meet the necessary standards or to provide the visibility required to govern this type of sensitive data. Most of the remainder of HIPAA’s technological requirements for protecting healthcare data are around strict access and transmission controls for protected data. Given these requirements, DLP is a logical solution for many in the healthcare industry when it comes to HIPAA compliance.

What is at Stake for Handlers of Personal Health Information?

The improper release or exposure of regulated patient medical records can result in a drop in confidence by their patients and the general public as well as fines and penalties from the Health and Human Services regulatory agencies. Maintaining compliance with these regulatory acts is a vital concern for every organization handling electronic health records. These concerns extend to business partners of healthcare firms as well. In September of 2013 the HIPAA Omnibus ruling took effect, which requires healthcare business associates to provide the same protection to personal health information as a covered entity.

How does DLP Assist the Healthcare Industry?

Healthcare and associated medical record handling organizations have been utilizing data loss prevention as a cornerstone in meeting legal requirements to protect regulated patient health information within their networks. DLP provides a good fit for healthcare data protection needs because it provides strong coverage of HIPAA requirements as well as additional protections to mitigate risks to healthcare data. The visibility over data – from storage and types to access and activity – provided by DLP tools enables granular controls over how data can be moved, accessed, modified, copied, and destroyed; these capabilities are critical when the data in question can include medical records, financial records, and personal information like social security numbers.

Now, as organizations have increasingly begun to leverage cloud computing to store and share patient information, many DLP providers have extended their capabilities to the cloud as well. By leveraging APIs from cloud providers, much of the same visibility and control that make DLP a top choice for the healthcare industry can be applied to data in the cloud. Of course, no one solution will solve a company’s security problems; there are still steps that must be taken to protect patient data prior to cloud migration, in the migration process, and once data resides in the cloud. However, choosing the right DLP solution and deploying it as part of a defense-in-depth strategy will provide many benefits to healthcare enterprises looking to meet regulatory requirements and safeguard sensitive data.

Image via HowToCleanStuff.net.

Brian Mullins

Digital Guardian for Compliance Technical Overview

Get the technical details on how Digital Guardian solutions protect on the network, at the endpoint, in the cloud, and discovers sensitive data.

Download Now
Related Articles
John Halamka’s 7 Steps to Prevent Healthcare Breaches

Here are 7 steps to securing healthcare data, as recommended by a healthcare CIO responsible for supporting 3,000 doctors, 18,000 faculty, and 3 million patients.

Latest HIPAA Settlement Underscores Medical Device Risk

Lahey Hospital and Medical Center will pay $850,000 for losing data on just 600 patients. The cause? Weak security for medical devices.

In This Healthcare Breach, It’s the Doctor Who Sues

A physician working for Banner healthcare has filed suit against his employer, saying the company was negligent and demanding more protection from hackers.

Brian Mullins

Brian Mullins is vice president of product marketing at Digital Guardian. His team is responsible for strategic marketing at the product line level. Brian has over seven years of security executive experience in both data protection and identity and access management. He is a patent holder and winner of a Business Week International Design Excellence Award.

Please post your comments here