Data Security in Healthcare


15/09/2017 Data security

Although the healthcare industry provides one of the most critical services to humankind - keeping us alive and well - we are still not providing optimal cybersecurity safeguards for our data and assets. Even though there is a specific standard in place, called The Health Insurance Portability and Accountability Act (HIPAA), to help ensure that our healthcare institutions are compliant when it comes to protecting personal health information (PHI), the bad guys are still at an advantage. Remember, PHI is much more valuable than financial or credit card data, because it is not something you can simply cancel and renew; it sticks around forever. So, how can we leverage HIPAA guidelines and modern cybersecurity technology to keep this sensitive data safe?

Understand your data, and associated access controls

Generally speaking, cybersecurity should function as a wrapper for business processes. The healthcare industry is no exception. If you are not putting any effort into classifying your data, assets, and any third-party providers, it will be much harder to protect your data - and comply with HIPAA guidelines. You need to understand how you store your electronic PHI, who does - and should - have access to said data, and the security controls you have in place to protect PHI. Once you have this information, you can may need to design new controls that help protect your valuable assets and data. In order to appropriately protect your PHI and other healthcare data, you must understand how your organization uses said data. Which processes utilize your data? Who are the users that should have access to the data? Where does your data flow - either externally or in-house? When it comes to HIPAA compliance, remember: “Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement…” (HIPAA STANDARD § 164.312(a)(1))

Implement the right tools

Gaining an understanding of how your healthcare business operates, and the part that data plays in these day-to-day operations, you can start implementing - or tuning, if they already exist - cybersecurity controls that provide optimal monitoring and protection capabilities. Healthcare data is some of the most valuable information available these days; luckily, it is also relatively easy to classify and monitor for flow - if your infrastructure allows. Sometimes systems get built up over time, which may lead to disparate systems or applications and data flowing in many directions. Leveraging a user and entity behavior analytics (UEBA) platform with machine learning can come in handy here, as you do not necessarily need to understand your network 100% (although you should, for your sake), and the tool will be able to provide insights based on statistical and probabilistic models. If you understand your business and know where your PHI and other important healthcare data resides, you will be able to analyze and discern quickly whether or not an alert is true or false positive. These types of technology can enhance the response effort and greatly reduce the time to contain. Let’s not forget the forensic capabilities provided by a UEBA platform with machine learning.

Develop an incident response capability

Creating a team whose main task is to respond to data breaches and other cybersecurity incidents is a must for healthcare organizations. With HIPAA guidelines stating that breaches must be reported within 60 days if they affect more than 500 users, or within 60 days of the end of the calendar year if the user count is less than 500, having a strategy in place to detect and report on breaches is paramount. This team should understand how HIPAA works, how your organization works, how your data flows, and how relationships with third-party suppliers are carried out. These team members will have their own day-to-day tasks, but in the event of a breach or other security incident, they will need to act fast to confirm, contain, and remediate any cybersecurity incidents. Remember, a persistent attacker has a high likelihood of infiltrating a network; the main goal is to contain them to ensure that there is as little collateral damage as possible, and that your data remains safe from exfiltration.

In summation, three major steps must be taken if we are to ensure that our healthcare data will be protected - or if we want to avoid fines associated with HIPAA violations.

  • Starting with an understanding of our business: which data is most important, who accesses it, and where it goes on a day-to-day basis, we can better enforce policies around said data.
  • Implementing the right tools helps us ensure that we are enforcing correct policies and providing the capability to accurately identify cyber attacks on our healthcare systems and data.
  • Creating a dedicated cyber response team helps us identify and contain network breaches quicker, and greatly reduces the chances of our data being exfiltrated. We know that healthcare is not the easiest field for cybersecurity - after all, most of their funding is primarily used for healthcare - and rightly so.
    However, by following the three steps above, you can greatly enhance your organisation’s cybersecurity posture, and let them do what they do best: save lives.

Share This

Find out more