How to maximize ePHI Security?
There has been a staggering 878 percent increase in health data since 2016. The healthcare industry, becoming increasingly digitized, is going through an explosion of electronic versions of health data (ePHI).
Health-related data is arguably one of the most important and sensitive types of data, providing ways for medicine to innovate and offer better patient outcomes. However, cybercriminals love data, and data breaches across the board are increasing year-on-year. In the first half of 2019, there was a 54 percent increase in data breaches along with a 52 percent increase in exposed personal records.
ePHI is experiencing similar patterns in data breaches; October figures show a 44.44 percent increase in healthcare data breaches. The fact is, increasingly digitized health-related information is at risk of cyber-attacks along with other types of data.
As the health-related data lifecycle grows ever-complex, unstructured data, in particular, seems out of control. Fortunately, there are ways of mitigating this risk. We just need to understand what these are and how to fit them into place.
What Causes ePHI Breaches?
The healthcare sector is a hunting ground for cybercriminals. Health data is lucrative and patient records hold a wealth of personally identifiable information (PII). Stolen health records have been found selling for as much as $1000 on darknet sites.
Under HIPAA regulations, any health data breach that affects 500 or more individuals must be declared. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) publicly displays these breaches on their ‘wall of shame’. Using their search feature, we found that between January 1 and November 1 of 2019, looking only at hacking, theft and unauthorized access, there was a total of 39,639,408 exposed patient records from 370 healthcare providers.
ePHI data breaches are caused by a number of threats including:
Insider Threat - Around 9,800 patients of Aegis Medical Group had their ePHI accessed by a former employee who then attempted to sell them onto third-parties for identity fraud purposes.
Poor Security Measures - Inmediata Health Group potentially exposed the ePHI of 1.5 million patients. A misconfigured web server allowed records to be found using publicly available search engines.
Hacking - American Medical Collection Agency was hacked over an 8-month period, with the exposure of 12 million ePHI records.
Malware Infection (incl. ransomware) - Virtual Care Provider Inc. (VCPI) and 110 care centers under their management were impacted by a ransomware infection and unable to access medical records, putting patients’ lives at risk.
Prevent Breaches by Managing the Lifecycle of Health Data
To protect ePHI we need to stand back and look at what data we have across the data lifecycle. Data is not a static object, especially in the complex field of healthcare. Health-related data moves across many stakeholders, with many touchpoints where it is collected, shared, updated, stored, and so on. The extended vendor ecosystem within the healthcare industry is also involved in this web of data - HIPAA handling this as ‘covered entities’.
And then there is unstructured data: stored and shared across cloud apps, messaging apps, emails, and so on. The whole is convoluted and difficult to take stock of.
The many ways that health data can be breached shows how complicated the data lifecycle within the extended ecosystem has become. To ensure full lifecycle security for ePHI, you need to take appropriate precautions and apply the most effective measures for that part of the lifecycle. To do this effectively, you need data visibility and governance.
“Know Your Data (KYD)” is the pivot upon which data management turns. The discipline of data governance works best when you understand data, have visibility of data, can map it to a process, understand how it is used, etc. Data workflow visibility is key to delivering effective security measures - if you understand what you are working with and how it fits into the whole, you can make best efforts to protect it.
Other Measures to Help Protect ePHI
Understanding the lifecycle of data and its governance can inform our decisions on the ‘how to protect’ aspect of ePHI. Just how do you protect ePHI? What types of measures can you take to effectively mitigate the risk of health data exposure?
ePHI security is about looking at data as a whole, each security measure being interwoven into a process of security. Here's our top 6 ePHI security measures.
1 - Information Governance (IG)
To know what to protect you need to know what you are protecting. Information Governance provides visibility into unstructured data. In the complex data ecosystem seen in healthcare, IG gives you the know-how to assess the means to ePHI security (get started with this ePHI Audit Guide).
2 - Robust Authentication/Access Control
Access controls are a crucial part of securing ePHI. A Verizon report found that 58 percent of health data exposure incidents were caused by insiders. Robust access controls should be policy-based, and wherever possible, utilize a second factor and risk-based authentication. The use of the principle of ‘least privilege’, i.e., only allowing access to data resources on a need to know basis, is a MUST have ePHI policy.
3 - Encryption
The use of robust encryption when data is both at rest and in transit is vital.
4 - Audit and Activity Logging
Data and security audits are part of the holistic measures you can use to protect data. The logs show events that can pinpoint security issues, but they can also offer intelligence around data use models, to improve your overall data governance.
5 - Secure Backup and Deletion
If you don’t need it, remove it. Securely removing data you do not need can reduce your overhead in terms of ePHI protection. The other side of this coin is secure backup. Backups that are built to be ransomware resistant can be a godsend if malware infection does happen.
6 - Security Awareness Training
A fundamental aspect of any security strategy is to ensure your userbase understands security risks. Security awareness includes teaching users to spot possible scams like phishing which could result in ePHI breaches. It is also about good security hygiene, such as the dangers of password sharing.
Information Governance or Bust
Securing ePHI is not achievable using a point solution. In just using encryption you cannot hope to protect data that flows across myriad endpoints and apps. Information Governance offers a way to stand back and look at the health data picture as a whole.
Understanding data flow and choosing the appropriate security measures for the right part of data management, will create a comprehensive and robust system for ensuring this most sensitive and important of data is protected.