Data breaches are among the biggest challenges facing today’s health care industry. In the past two years in Ontario alone, according to the Office of the Information and Privacy Commissioner of Ontario, high-profile breaches have impacted the personal information of more than 100,000 people.
The health care industry is an appealing target for criminals for two reasons. First, health care organizations collect a massive amount of personal data from patients, data of the most lucrative sort to thieves. Credit card numbers for example, but also insurance account details, social insurance numbers, birthdates and addresses as well as clinical data such as diagnoses and prescriptions.
In addition, it’s a numbers game for hackers. To achieve maximum efficiency within the health care organization, patient data is typically stored all together in one place such as a billing system or medical chart file. This simplicity makes a thief’s job very easy indeed.
Privacy Commissioners are encouraging provinces to be more aggressive when it comes to protecting information. However, health care organizations face many challenges when it comes to securing their IT environments.
For starters, health care professionals are not IT professionals and few entered their profession with a dream of becoming an adept data manager. Developing an internal culture of data protection is an ongoing challenge. Health care teams are also struggling with issues of reduced funding to support operations over and above the primary responsibility of patient care.
As more mobile devices such as laptops, smartphones, tablets and USB drives enter the health care environment, new layers of complexity are introduced.
Employees may unwittingly put patient data at risk as they create faster ways of working within their pressured environment. Passwords jotted onto sticky notes, data transferred to USB sticks for offsite use, malware introduced into the system through malicious links travelling via email — all of these scenarios make it increasingly more difficult for health care IT managers to protect data and ultimately, the privacy of patients and employees.
Thieves target health care organizations as they would any other: criminals employ social engineering and phishing attacks which in turn help deploy malware that can search for the data. But the biggest recent data losses appear to have been accidental – laptops lost or stolen and data leaked out via email. While security incidents may not be entirely preventable, protecting data from misuse is possible with basic data loss prevention tools, such as encryption.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private sector organizations collect, use and disclose personal information. It also requires that all personal health information is protected against theft, loss and unauthorized use and disclosure.
Many Canadian health care facilities are still working to achieve #PIPEDA compliance. Organizations undertaking security changes may wish to consider the following:
There are four primary security methods that organizations can implement to proactively protect against a data breach. Each of these methods provides protection against different types of threats and together form a holistic security approach.
1. Implement an identity and access management strategy
An identity and access management strategy that helps an organization to better manage who can access what types of data — and where, is key to better protection. Authentication solutions enable users to establish controls over access to sensitive networks, applications and data. They can also verify the identity of the intended user at the front-end during login.
2. How endpoint encryption better protects data
Implementing an endpoint encryption solution protects data if it is lost or stolen since it is in an unreadable form unless you have the keys to the data. Encryption can be used for data at rest (on a storage device) and data in motion (as it is being transmitted across a network).
3. Consider data loss prevention (DLP) in health care environments
DLP solutions help prevent data from being accidentally or intentionally sent or leaked to recipients who are not entitled to view the data. DLP solutions can also assist users and IT professionals discover, monitor, protect and manage information wherever it’s stored and accessed.
4. Why anti-virus and anti-malware solutions
Anti-virus and anti-malware solutions deliver proactive protection and can also reduce the risk of online threats before they infect a system. Furthermore, as part of an overall IT risk management process, these security solutions also help raise the level of protection for an organization’s data.
Health care organizations should consider adopting a comprehensive, information-centric management security approach that encompasses the above four security methods. By prioritizing data, its sensitivity levels and implementing the appropriate security measures, organizations can be better protected against any threats that come their way.
A security breach is expensive and irreversible, so a little preventative medicine can go a long way toward a healthy data security environment.