Keeping Personal Health Information Secure in an Era of Cyberattacks



by Paul LaPorte

The healthcare industry faces special challenges when it comes to safeguarding personal health information (PHI). Patients provide a wide range of private, identifying details in relation to their medical records that go beyond just their names and contact information. Patient records may contain detailed demographic data like social security numbers; sensitive information about medical conditions, medical history, and test results to determine appropriate care; and financial or insurance information. For these reasons, it’s incumbent on the healthcare industry to understand the risks and compliance laws related to keeping PHI secure, as well as to proactively research solutions to prevent and/or respond to cyberhacks.

Healthcare professionals must be extremely careful and conscientious when managing any personally identifiable information (PII) on behalf of patients and customers, whether encrypting records or ensuring that others can’t view their screens when reviewing personal data on their computer. Healthcare professionals must vigilantly monitor the patient data entrusted to them, taking precautions when data is entered, transmitted, and stored.

MANY POINTS OF ENTRY
Sensitive health information is not only found in formal electronic medical records but might be housed on electronic devices, from smartphones to iPads and laptops. Such data is also at risk of fraudulent access from personal computers, email accounts, calendars, backup drives, servers, shared folders, and even electronic or actual trashcans, putting the data at risk from many directions. PHI is additionally often stored in wireless medical devices, which can create especially challenging circumstances when it comes to personal data protection. Many types of medical devices—from pacemakers to devices that monitor other aspects of consumer health—have Internet connection or will by 2020, which makes them vulnerable to hackers.

When it comes to any and all of these potential access points for PHI and PII, the cost of carelessness can be high and the consequences widespread. These large-scale attacks don’t just hurt the individuals and businesses involved in the data theft; Bloomberg Business noted in 2015 that the increase of these attacks has resulted in costs of $6 billion every year to the entire healthcare system. The article noted that new research from the Ponemon Institute found that “Criminal attacks against health-care providers have more than doubled in the past five years, with the average data breach costing a hospital $2.1 million.”

EASY MARK
Reporting in Reuters recently, Caroline Humer and Jim Finkle stated: “Your medical information is worth 10 times more than your credit card on the black market.” The authors continued that cyber-criminals are increasingly targeting the healthcare sector, in part because the industry in the U.S. is notorious for using outdated IT systems that lack current security safeguards. This low-security environment makes the industry an easy mark for hackers—despite the fact that national laws exist in the United States that are designed to protect personal health data—most importantly the Health Insurance Portability and Accountability Act (HIPAA). HIPAA created industrywide standards about privacy and confidentiality when it comes to managing and sharing PHI and mandates steep fines for noncompliance, yet still violations occur. A recent HIPAA study revealed that 80 percent of organizations surveyed thought they were fully compliant with HIPAA regulations, yet the majority were significantly off the mark.

One of the largest and most pernicious cyber-attacks to date occurred in 2014, when Community Health Systems had private data relating to 4.5 million patients stolen. Losing this amount of valuable private medical records from a major institution not surprisingly shook up the industry, and brought new awareness to the importance of protecting health data across the healthcare service continuum. Yet that awareness was not enough to prevent further news from being made in this arena just a few months later, when Anthem Inc.—the nation’s second-largest health insurance company—fell victim to a similar fate. That unprecedented cyber-hack began two months before it was discovered at the start of 2015, and led to the breach of sensitive personal and medical data for approximately 80 million people.

It’s not only patient data that’s at risk within these organizations, but also data relating to doctors, hospital employees, insurance providers, and other customers. Healthcare providers need to be aware of the fact that not only can they face exorbitant fines for failing to secure patient data, but they can also put the entire organization at risk of losing public trust, and in some cases folding completely.

What Can Organizations Do to Protect PHI?
With the volume of personal health data on the rise and the number of potential data storage locations multiplying, the risk for cyber-hacks on healthcare institutions grows. In this environment, it’s no easy task for healthcare companies to ensure that the patient data entrusted to them stays secure and that they remain compliant with HIPAA and other laws, including the Health Information Technology for Economic and Clinical Health (HITECH) Act, which levels fines for misuse of electronic health records. IT administrators must not only deal with the ever-expanding number of potential storage locations for personal health data, but also need to find ways to address confusing situations where PHI is housed with different types of unregulated data.

Fortunately, there are steps that forward-thinking companies can take to help protect patient data and the reputation of their own organization—particularly technology solutions such as new data loss prevention (DLP) software based on machine learning. Such software can offer organizations a range of benefits, including greater accuracy, awareness, flexibility, and protection. Let’s talk a bit more about these benefits and what companies can do to achieve them:

  • Improving accuracy of identifying high-risk content.A first step toward protecting PHI and PII is being able to determine which information contains sensitive content. To achieve this, companies have commonly used expression-based searches, which match data to known patterns—yet this type of search has significant limitations based on the quality of the search pattern. Instead, organizations can now use a newer, more sophisticated technique: DLP software that relies on machine learning. While most DLP is not based on machine learning, this new technology provides more accurate detection by constantly adapting to and learning a specific organization’s data, taxonomy, and usage patterns. Unlike standard DLP approaches (which also play an important role), this new machine-learning based software analyzes data context and makes adjustments accordingly, which makes tailored searches for such information more reliable and actionable. Because of these distinctions, machine learning-based DLP solutions deliver superior results to standard DLP, as they remain adaptive to ongoing and morphing threats.
  • Increasing awareness of data variance.The healthcare industry has many variables and potential miscues, including misdiagnosis that can lead to the failure of older software solutions. If a system can’t tell the difference between true and false information and lacks a high level of contextual awareness when it comes to evaluating content, it won’t deliver the needed results. Newer DLP software that relies on machine learning is equipped to recognize subtle distinctions in data, which helps to avoid system failings.
  • Boosting flexibility and real-time file analysis.Today’s machine learning-based DLP software offers security and governance throughout the enterprise. This flexible, comprehensive approach to content detection and classification helps administrators rest assured that users follow the right procedures. These newer DLP solutions also use machine learning to provide real-time file analysis to ensure that once data is created or altered, it gets assessed immediately.
  • Delivering data protection.Downtime can be costly for the healthcare industry and can be avoided by an advanced machine learning-based DLP solution that allows administrators to bypass configuration processes – i.e., avoid the need for the initial configuration process, not bypass security. Such solutions can also offer extremely fast and automatic detection of PHI when it’s added to SharePoint. When the software detects sensitive content, it can prevent it from being uploaded until designated content reviewers have been able to review and approve it.

There is no easy road to keeping patient health data secure, and companies seeking a quick fix may find themselves regretting it. The key for the healthcare industry is not only to be aware of the compliance laws regarding PHI, but to take meaningful action to protect it. A software solution for data loss protection based on machine learning can improve detection accuracy, increase awareness of variables, and boost flexibility to deliver the level of protection that’s required in today’s challenging business environment. This new wave of DLP software can also help organizations become more vigilant through 24/7 monitoring, reinforcing security and locking down the protection of personal health data in any workplace.

Paul LaPorte is the director of products at Metalogix.

Leave a Reply

WWPI – Covering the best in IT since 1980