A joint IBM/Ponemon Institute research study found that data breaches cost US healthcare organizations an average of $7.13 million per incident. This staggering sum is 60% more than other industries’ standards, and it amounts to $429 per record. In comparison, the second most expensive industry, finance, centers around $210 per record. The additional healthcare costs are related mainly to incident response and containment and regulatory expenses such as patient notification.
The study found that when focused on developing sound and efficient incident detection, response, and containment processes, healthcare organizations recently reduced their average per-incident costs by more than a million dollars.
Common Threats and Existing Countermeasures
According to a 2018 Verizon report, misuse and malware were top healthcare breach causes. Misuse involves using physical or logical access in an inappropriate manner (both unintended and malicious). Examples would include accessing patient information for personal knowledge or providing protected health information (PHI) to a third party for identity theft purposes. The latter cause, malware, would include the installation of ransomware or installing a backdoor using infected files downloaded via email.
Organizations seeking to prevent these common breaches may use tools that allow risk management personnel to monitor what records individuals access and proactively alert personnel if inappropriate use is detected. While effective, these tools are retrospective (i.e., improper access already happened). Many false-positive triggers can also occur due to the reliance on uniformly-applied rules.
Stringent content filtering and aggressive endpoint protection mitigate breaches from malware attacks. However, even the most effective endpoint protection and filtering are far from foolproof. New threats are often developed to bypass existing protection mechanisms, and employees frequently create additional risk by working around stringent content filtering. While the risk of data loss is not entirely containable, hospitals can implement some core strategies to limit the likelihood of an incident.
Annual security risk assessments (SRAs) are a must and should be more frequent if making significant system or architectural changes. These risk assessments must be thorough and result in remediation plans to ensure that funds and resources are available to address risk findings. Frequent network penetration tests should accompany the SRAs. Staff should also undergo annual security awareness training, at a minimum. Ideally, however, hospitals should provide ongoing awareness training via department meetings or regular employee reminders.
SRAs and education should be considered essential efforts. As remote work environments and mobile health technology are becoming more prevalent, hospitals have focused on access controls, device monitoring, and Bring Your Own Device (BYOD) policies to reduce risk further.
Controlling access to PHI and determining how permissions are granted and revoked are necessary steps in data loss prevention. Hospitals should have predictable policies blocking unnecessary access to PHI without hampering the staff’s ability to provide high-quality patient care.
Security personnel should ask the following questions, and if the answers are either unknown or unsatisfactory, examine existing access control policies and make improvements.
- Who can access PHI?
- Is this level of access necessary?
- Can access be reduced without hampering the ability to perform essential job functions?
- Is access granted based on role, or is there another access control methodology?
- Are access control procedures integrated with human resources so that an individual’s access immediately changes with their employment status?
Effective organizations have developed strategies to limit individuals’ risk of serving as agents (willingly or otherwise) for data loss.
Determining the devices used to access PHI will help hospital security personnel develop adequate protection and mitigation strategies.
Any device monitoring strategy should include data loss prevention tools and endpoint security. Data loss prevention systems focus on the flow of an organization’s sensitive data and sound data classification policies. While a full discovery process (e.g., an examination of all network files) is an option, it can be timely and costly, often deeming it a non-starter for most large healthcare organizations. However, classifying data and examining the metadata is more feasible and can be done continuously to control possible data loss events.
Endpoint security is also necessary for hospitals. All workstations should utilize organization-sponsored endpoint monitoring tools to limit malicious software installations and prevent propagation throughout the organization.
If possible, hospitals should restrict non-corporate devices (e.g., staff’s home computers) from connecting remotely without installing security software. Hospitals effectively controlling for data loss risk understand where staff can access their systems and have implemented safeguards to prevent data loss.
Increasingly, hospitals are allowing employees to use their personal devices to conduct business. BYOD programs are convenient for employees, result in cost savings for employers, and enhance smartphones’ benefits in healthcare. However, there is enhanced risk, as corporate data, including PHI, may be intermingled with the employee’s personal information. Hospitals must proceed cautiously and continue to implement sound BYOD policies that balance convenience with security.
Modern Solutions for Increasing Healthcare Information Security
Confidential information has never been more accessible. Hospitals must remain vigilant when it comes to health data privacy. Healthcare organizations should use available access control, data loss prevention, and endpoint security systems to enhance protection. Using a Virtual Mobility Solution (VMS) bolsters data privacy and convenience, allowing an organization to go fully remote.
A virtual mobility solution like Hypori® provides multi-level, HIPAA-compliant security, enabling easy BYOD implementation, and seamless enterprise integration. Medical staff can access organizational data from remote devices while maintaining healthcare information security.
As the healthcare industry continues down the remote path, apps for healthcare professionals and other mobile technologies can streamline efficiency and improve care quality. Hypori is a scalable solution, allowing hospitals to adapt to changing technologies and tools without modifying systems already in place.
Learn more about how Hypori can improve healthcare information security and limit data loss risk.