When data theft gets personal: Protect patients from an embarrassing breach

It doesn’t take any stretch of the imagination to see how the public exposure of personal medical records could cause embarrassment to their owner
By Chris Bowen
10:09 AM
Share

When big crimes make the headlines, copycats tend to follow suit. And while speculation that the Ashley Madison hack could have been an inside job is still just that – speculation – the event should raise two immediate questions for organizations everywhere. Do they house sensitive and potentially embarrassing data? If so, is it adequately protected from both internal and external threats?

For many organizations in the healthcare industry, the answers are likely "yes" and "no." In that order.  It doesn't take any stretch of the imagination to see how the public exposure of personal medical records could cause embarrassment to their owner, especially if a high profile figure. That's a big reason why blackmail is seen as a motivation for nation states' theft of government personnel records. At a more micro level, medical records can also be a weapon wielded against each other by divorcing couples – and in fact, have.

So how can healthcare organizations keep this data from being breached, especially given the sheer number of clinicians and healthcare administrative staff who have access to it?

All access controlled
While collaborative care is necessary and beneficial, providers must be sure to assign rules-based access to medical records by using minimum necessary principles applied to responsibility, job function or other rules, and then actively monitor who is reviewing this data and when. Access restrictions and monitoring can and should be applied at the application level, of course.  But there are a number of database activity monitoring solutions that also keep a record of all database log-ins and activities and send alerts of unauthorized entry or anomalous activity. As these programs are installed outside the database server itself, the database administrator can't circumvent around them.

HIPAA security and privacy safeguards
The HIPAA Security Rule explicitly includes provisions to safeguard patients from inside data breaches. Most notably in this realm is the mandate that passwords, PIN numbers, automatic log-off and other measures are put in place that restrict access to patient records only to designated personnel. Log-in monitoring, logging record views, and password management are additional and related requirements. Regular risk assessment is another, and should include testing of both internal and external vulnerabilities.  

As you can see, the HIPAA Security Rule emphasizes a security approach with multiple layers. But the goal should really be to exceed HIPAA requirements. A defense-in-depth strategy should be deployed at every one of the following layers – securing the physical environment/building/room where data is housed; applying secure measures at the network, application, server, data and device layers, and the user layer – which requires behavioral changes as well as technology enhancements in many cases. Finally, a well-planned backup and disaster recovery strategy must be in place, because theft of a dataset can be just as disastrous to your patients as a server being destroyed in a natural disaster.

Realistically, accomplishing all this is hard for internal healthcare IT departments that have a thousand other things to worry about…like healthcare.

Turning to a trusted outsider to prevent an inside breach
As the frequent news headlines of healthcare data breaches attest, many providers struggle to keep up with protecting against even fairly non-sophisticated attacks. An increasing number are instead turning to vendors that offer a range of managed security services on a "pay-as-you-go" model, much like a monthly utility. These services can include all of the above "defense-in-depth" layers, and full hosting of data onsite as an extra measure of protection (and instant scalability for today's large volumes of healthcare data).

Importantly, an advanced managed security vendor – a partner, if you will – can also perform a thorough assessment of external and internal risks. If this partner exclusively focuses on the healthcare industry, the assessment can be paired with a HIPAA risk remediation plan. That's a particularly valuable offering at a time when federal health officials are stepping up on HIPAA security and privacy audits. Calling in a trusted managed security expert can assure that organizations pass them--and keep patients' personal health data out of the public eye.