As one of the most sensitive pieces of personal information, patient health data needs to be protected from data incidents or breaches. When the majority of the data is spread among multiple applications and devices though, then keeping the data safe from threats can be quite challenging.
There are a few best practices that companies from the healthcare sector can use to boost their data security (and patient trust) straight away, though – you’ll learn about those in this article.
How technology has changed the healthcare sector
The healthcare industry has benefited from technology in many ways. Thanks to digitized medical records stored on the cloud, doctors don’t have to spend as much time creating, updating, and managing paper records. Wearable devices and digital health apps help doctors monitor patients with long-term illnesses. There are even AI-powered applications that can record patient-doctor conversations and turn them into complete notes, saving doctors plenty of time.
All those applications also generate enormous amounts of data every day – and this is both a blessing and a curse for the healthcare sector. A blessing because the data coming from the applications can give healthcare professionalists much more information about a patient than an interview would. That way, they can make better decisions about how to treat them and provide better patient care overall.
The amount of data being generated every single day makes it increasingly difficult to keep track of which sensitive healthcare information is stored where and who can access it though. Add to these hectic work days, a well-known dislike for paperwork among medical staff, and (unfortunately far too often) a lack of cybersecurity training, and you can see why healthcare is among the industries that experience the most data incidents. Unfortunately, Healthcare attacks are also becoming more common. This is due both to the value medical records have to criminals and that many healthcare facilities still use outdated equipment – making obtaining the records much easier for criminals.
What is the average cost of data loss/breach in Healthcare?
Healthcare has the highest average cost of data breaches at $10.10M per incident.
What’s even more worrying is that the cost of healthcare data breaches is rapidly growing. According to an IBM Security breach report, the average cost of such incident in the healthcare sector has gone up 42% since 2020 – and keeps on growing.
The cost is so high for several reasons. The first is related to the type, and amount of data healthcare providers collect and store in their systems. In every patient’s file, there usually is:
- Patient’s full name and address
- Email addresses
- ID number
- Billing information
- Social security numbers
- Medical history, together with drug prescriptions, etc.
For criminals, one such medical record is worth even 50 times more than a credit card number as they can build an entirely fake persona from the information available in the healthcare records. Then they use the new persona to purchase medical equipment on the victim’s health insurance, take loans under the patient’s name, abuse the victim’s health plan or fill insurance claims. Plus, as health records (compared to, for example, credit cards) can’t be canceled, blocked, or changed after a data compromise is noticed, healthcare companies have a much harder time containing it and minimizing the damage.
As a result, it’s estimated that now 95% of identity theft comes from stolen healthcare records – which means any data incident might pose a serious risk to the patient’s safety.
Another thing that makes healthcare data incidents so costly is how much time they take to solve them. In their 2022 report, IBM security found that the average healthcare data breach lifecycle is 329 days.
Considering how little time healthcare professionals have during the day and how easily files (including sensitive healthcare ones) can be copied or shared without anyone noticing, it can take a long time for a clinic or hospital to discover a data incident.
Unfortunately, when they find out about it, it’s often far too late. Their patients’ data (from social security numbers and credit card numbers to health history) has already been leaked to the darknet, and the company has now to deal with reputational damage, financial losses – and also legal consequences.
Healthcare data breaches are so costly also because of the number of laws and regulations the industry has to adhere to these days – and the penalties for violating those are pretty hefty as well.
The largest HIPAA violation penalty up to date, $16 million, was paid by Anthem Inc. in 2018 after a 2014 cyber attack caused a healthcare data breach spanning 78.8 million records. In addition, Anthem also had to pay $115 million to settle the lawsuits filed on behalf of the incident victims and $48 million as penalty fines.
The second largest breach with the highest penalty was imposed on health insurance company Premera Blue Cross in 2020. The company was fined for neglecting several HIPAA requirements and causing a data incident in which hackers obtained the protected health information of 10,466,692 individuals. The company then agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of non-compliance.
Besides that, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims for $74 million.
Health, genetic and biometric data are also considered special categories of data under the General Data Protection Regulation (GDPR). That’s why healthcare companies are expected to follow stricter guidelines when collecting, processing, and storing health information – otherwise, fines can be pretty steep as well.
On 23rd February 2021, the health data of nearly 500,000 people was released on the internet following a massive data breach at the DEDALUS BIOLOGIE company. The exposed data included names, Social Security numbers, the name of the patient’s primary doctor, examination dates, as well as confidential health information related to HIV, cancers, genetic diseases, pregnancies, and drug therapy. The company was then fined 1.5 million euro by the French data protection authority (CNIL) for violating GDPR articles 28, 29, and 32 requirements and causing the breach to happen. However, the investigation is still ongoing, so the final amount the company will have to pay for the violations could be much higher.
It is also becoming more common for people to file lawsuits after a breach of their data. For example, Baker Hostetler law firm analyzed more than 1,200 data security incidents from 2021 that their company helped clients manage and found that 23% of those incidents involved healthcare breaches.
That means that in case of a serious data breach, healthcare facilities may find themselves not only facing data privacy law enforcement but also private lawsuits from individuals affected by the incident. Then, companies could end up having to pay lawsuit settlements, compensation and also reimburse the breach victims out-of-pocket costs connected to the incident – which will significantly increase the costs of the breach.
While enhancing the data security at the health center facility will likely take some time and effort, it will help you in the long run as it will make it easier for you to avoid data incidents or compliance violations. This way, you can both assure your patients and business partners that their data is safe with you, as well as prevent very expensive financial repercussions from healthcare data breaches.
Where should you start, though?
Here are some things you can do to tighten up your health systems:
- Run a security risk assessment
Both GDPR and HIPAA require healthcare providers to run an annual security risk assessment to identify potential security vulnerabilities and data threats in their networks. While those usually take some time, they are incredibly important for healthcare companies as they can give them enough information about where the patient’s data might be compromised and how you should address the vulnerabilities.
In this way, you’ll be able to fix any vulnerabilities or issues in your network that could lead to breach or loss incidents in the future, saving you time (and money).
- Educate your staff on best cybersecurity practices
Without cybersecurity training, your employees might not be aware of your company’s security policies or cyber risks, leading them to take risky actions – such as sending a patient’s file through social media messenger. And yet nearly a third of healthcare employees (32%) said they had never received cybersecurity training from their workplace! Lack of awareness of the breach consequences might also cause the employees to skip security procedures just to get a task done faster. This can quickly lead to healthcare data breaches though – in fact, human error accounted for 33% of healthcare breaches in 2020 alone.
To lower the number of incidents, make sure your employees know how they should work with sensitive data and what are the consequences of neglecting the procedures. Handing them an incident response plan with guidelines on how to respond when they notice a healthcare data breach would also be very helpful when it comes to preventing and dealing with data threats.
- Limit access to health records
With hundreds of people and devices within a healthcare organization, it’s vital that you keep a close eye on who can open, edit and share patients’ health records to prevent data theft. The access permissions for the most sensitive healthcare files should be set up so that only healthcare specialists who need the specific medical records can access and edit them.
The fewer people that have access to the health records, the less likely it is that the data might be compromised – or leaked outside.
- Limit the use of personal devices
Healthcare professionals may find it convenient to use their personal devices for work, but these devices are usually not as secure as those they have at the clinic or hospital. Having clear policies that outline how employees can access your network/applications when using personal devices and how they should handle incidents are essential if you want to allow employees to bring and use their own devices for work. It is also a good idea to keep a close eye on what devices are added to your network and to restrict or block access to sensitive files for those you don’t recognize.
- Keep a data audit log
Keeping data logs is an essential part of HIPAA compliance, as through those, you can quickly detect any policy violations and respond to those straight away. In addition, when an incident occurs, an audit trail will also help forensic specialists pinpoint the place where the incident started, determine the cause and suggest the best way to prevent similar issues from happening.
Manually tracking and saving the audit log would be time-consuming and complicated though. Fortunately, here you can rely on applications such as Safetica that will create and update the audit logs for you. Then, when you’ll be dealing with a data incident, you will only have to check the data logs, and you will know where and how it started – rather than having to search the entire network.
- Restrict what actions can be taken when working with sensitive data
In addition to monitoring which employees have access to sensitive files, it is recommended to restrict what can be done with those files to prevent unauthorized disclosures. For example, limiting or blocking sensitive file web uploads, screenshotting, copying to external drives, adding the files as mail attachments, or printing can go a long way in lowering the risk of incidents happening. Data endpoints monitored and secured will also greatly reduce the chances of data thieves stealing confidential data as they will have far fewer options to copy or share the data without getting caught.
- Encrypt data
Encryption is one of the most effective methods of protecting sensitive information. Even if someone unauthorized gains access to sensitive files such as patients' medical records, the information inside the files would be unreadable to them and so they won’t be able to use the files in any way. For additional security, you can also add more encryption layers so that more than one encryption key is required to enter a system or combine the encryption with multi-factor authentication.
- Destroy sensitive information properly
HIPAA also has stringent regulations regarding how you should destroy files and devices with patients’ data or other sensitive information to make sure no unauthorized person can use it. Failing to properly destroy the data you no longer need can cause the data to be exposed, and then you might be fined for non-compliance.
In fact, some of the largest fines for HIPAA violations have been for failing to comply with the medical records destruction rules. For example, New England Dermatology and Laser Center had to pay $300,640 to settle an investigation into the improper destruction of medical records.
It is recommended to hire HIPAA-compliant data destruction services for disposing of the sensitive data and the devices the data was on to ensure that they were destroyed properly and that the information can’t be recovered.
- Backup data regularly and store it in a secure location
Whether your healthcare system crashed or your employee accidentally overwrote patient records, losing access to sensitive data can force you to spend more time restoring the files rather than taking care of your patients. Additionally, if you have to reschedule patients’ appointments or procedures because of a data incident, you risk losing their trust that their data is safe with you.
That’s why HIPAA’s final rule requires that electronically protected health information (ePHI) be backed up regularly and stored securely offsite. Ideally, you should have three backups of the data stored in different locations, as that way, you significantly reduce the chances of losing all of your data.
It’s also recommended that the backups be done daily or at least once weekly. If you don’t have time to do it yourself though, it will be a good idea to schedule automatic backups at set intervals – for example, every day at midnight. Additionally, you should make sure that only people who will need the copies for their work have access to the copies – and also that all copies are encrypted.
How can Safetica help you protect the data?
Meeting compliance and data security requirements while also giving patients the best care possible is definitely not an easy task – especially if most of the tasks related to securing the data are done manually. Safetica can take over the data security and compliance tasks to give your healthcare professionals more time to take care of your patients.
After you set your own data privacy policies and requirements inside the platform, Safetica will monitor your entire healthcare data within and (most importantly these days) outside of the work environment, 24/7.
What else can Safetica do for you:
- Automatically discover, classify and secure sensitive files.
- Analyze your environment to find out places where there’s a risk of data breach or non-compliance.
- Ensure that all employees are following internal security policies and are meeting HIPAA/GDPR compliance requirements.
- Respond to any suspicious activity in the manner you specified earlier (for example, it can show a warning to an employee when they are working with sensitive data).
- Monitor all external or remote devices for potential data incidents or breaches and report all new devices added to the network.
- Automatically create data activity logs for audits.
You can learn more about how Safetica can protect the data in your healthcare facility by reading our dedicated whitepaper
Hospitals, clinics, and healthcare providers are responsible for safeguarding patient data and critical healthcare information, as the consequences of those falling into the wrong hands can be disastrous. The average cost of a data breach is also growing – so that makes preventing various types of breaches and incidents more critical than ever.
By educating the hospital staff members and healthcare personnel, restricting access to patient data, and encrypting the data though, the number of incidents and the damage they can cause can be visibly reduced though.
Safetica can also make keeping patient data secure easier by monitoring healthcare data and protecting it from threats. Once you combine best security practices with Safetica, you can rest assured that every piece of data within your organization’s system is safe and secure.