Hacking healthcare: Protecting patient data while maintaining access

The healthcare sector accounts for 30% of the world’s data, and its footprint is growing everyday. This wealth of data is both a blessing and a curse. It allows for data-driven decision-making within the organization and enables practitioners to make forward-thinking decisions about patient care. But, because the industry is notoriously behind when it comes to adopting security processes, it also makes healthcare companies a prime target for hackers. In 2021, nearly 50 million people in the U.S. had their sensitive health data breached.

Patients need confidence that their most sensitive personal data (including name, date of birth, social security number, and health records) will remain private and secure. Organizations need to comply with data privacy regulations and maintain their reputations. But completely restricting access to data is not the answer. Decision-makers need access to data insights to optimize operations and drive innovations.

Protecting patient privacy while allowing access to data is a delicate balancing act. The right approach, combined with modern data access technologies, can help healthcare leaders overcome security challenges, better protect sensitive patient data, remain compliant, and leverage data for decision making.

Healthcare’s data sec challenges & notable hacks

The pandemic created a rapid digital transformation for the healthcare sector. As a result, healthcare providers are now more data-driven than ever before, with clinical and patient data at their fingertips. But staying ahead of cyber security in this cloud-first world is challenging. Cyber attacks are unrelenting and criminals are taking advantage of vulnerabilities across the entire healthcare supply chain.

Even prior to Covid-19, the industry was feeling the pain. The Anthem Blue Cross breach in 2015 was the biggest healthcare breach to date. Nearly 80 million patient records containing sensitive data were stolen, ultimately costing the company close to $40 million dollars in settlement. And just six weeks later, Premera Blue Cross uncovered a breach affecting over 10 million members, making it the second biggest attack in healthcare history and costing $74 million in settlement. These two attacks helped solidify 2015 as a record-breaking year for healthcare data breaches.

The historic 2015 year aside, healthcare data breaches are trending upward. Hacking increased by 3,000% from 2011 to 2021 and accounted for 75% of all data breaches within the healthcare sector last year, causing widespread damage including lost and compromised medical records, regulatory fines and financial losses, identity theft, lawsuits, and a loss of patient trust. Six of the top 25 healthcare data breaches occurred in the past year, exposing over 40 million patient records, including 3.5 million in an incident at Florida Healthy Kids Corporation, 3.2 million exposed at 20/20 Eye Care Network, and 2.6 million at AccuDoc Solutions.

Why is healthcare such a sweet spot for cyber criminals? It’s pretty simple. Healthcare companies have huge databases filled with detailed, personal health information (PHI). Nowadays, this sensitive data can be accessed by more people in more ways, and it’s typically safeguarded by old, easy-to-crack systems with barebones IT and security teams (if any).

When healthcare breaches do occur, they are not caught as quickly as financial breaches – sometimes going undetected for months or, even scarier, not at all. This provides an ideal environment for bad actors to hack into electronic PHI and Electronic Medical Records (EMR), access data like names, birth dates, and social security numbers, and sell it on the dark web or demand a ransom for its safe return.

Better protect patient data in four steps

With cyber attacks on a steady incline, something needs to be done so that similar fates can be avoided and patient trust can be prioritized. There are four key best practices that, with the right data access technology in place, can protect healthcare companies from hacks and attacks:

1. Discover, understand, and tag data. Healthcare organizations manage large volumes of sensitive patient data that is often spread across many locations. Securing this data and remaining compliant is challenging if there isn’t visibility into where it lives.

Data discovery is the basis of any data access and security strategy, because before an organization can protect its most sensitive data, it must understand it and locate it. With the right tool, data and security teams can build an accurate data inventory without expensive scans that might slow down the infrastructure, then can identify and classify sensitive data and organize it based on risk and value to the organization. This inventory provides real-time visibility into who is accessing sensitive information.

2. Define and enforce policies on sensitive data. Controlling access to sensitive data is a critical element of any data security strategy. Granular security policies including Dynamic Masking, Row-Level Security, and Role and Attribute-Based Access Control (ABAC) can be integrated into access control policies without the need for IT resources. Applying universal masking is a good way to maintain instant security – for example, always block out all but the last four digits of a social security number or hide a home address. This masking of sensitive data at query run-time can be based on preferred security policies and identities, data locations or data types, and support compliance for HIPAA, GDPR, and other regulatory requirements.

Multi-factor authentication should be layered on top of access controls to further verify user identities before granting access. It is also important to have controls in place to prevent users from manipulating classification levels – only authorized users should be able to make these changes.

3. Make data easy to access (but only to the right people). There should not be free-for-all access to data, but it also can’t be under strict lock and key. Healthcare leaders need to establish a secure data access strategy, and it starts with classifying data users by risk level and vetting them before granting access. Solutions with automated, self-service access can facilitate requests and approvals without any added code or workflow modifications, so analysts and data scientists can access the data they need quickly and securely without manual requests.

As Arun Buduri, VP of Engineering, IT and CISO at Innovaccer, recently shared at a company-organized Data Leader Summit’s Healthcare roundtable: “It’s all about going back to the fundamentals. Someone who is not supposed to have access to the data shouldn’t have access to the data. It’s as simple as that.” [Editor’s Note: Innovaccer is a customer of the author’s employer]

4. Make compliance seamless. Healthcare organizations must ensure their data access strategies comply with privacy laws, such as HIPAA and General Data Protection Regulation (GDPR), to avoid costly violations (HIPAA violations can cost up to $1.5 million per year). Real-time visibility into data usage and an audit trail of when sensitive data was accessed, by whom, and why will help healthcare companies meet regulatory compliance requirements, and fine-tune security and data access practices moving forward. A tool that continuously audits and monitors data access, queries, and results and can create automated reports is preferred.

A universal data access tool can continuously discover all data in play, automate security and access controls, and provide audits and reporting. With this modern approach to healthcare data access, the industry can prevent data breaches and maintain patient privacy, while still allowing healthcare leaders to gather insights from the data to provide better patient care and improve business operations.

Photo: roshi11, Getty Images