The cyber-threat landscape is rapidly evolving, and it is becoming increasingly difficult to comply with new regulations and protect against the loss of patient. While the majority of news reports focus on malicious external threats and actors, 65 percent are the result of internal leaks. In addition, 73 percent of those are the result of inadvertent sharing of information.
Challenges in Healthcare Disrupt Data Protection and Security
There certainly are a number of factors in healthcare that make protecting information a complicated undertaking. These include:
1. Increasing Costs. The costs associated with healthcare—from technology disruption to delivery—are outracing other industrial segments, with healthcare garnering a growing proportion of the U.S. economy. By 2024, it is predicted that nearly $1 in every $5 spent in the U.S. will be on healthcare. The four-percent annual growth rate since 2008 will be replaced with an estimated 5.8 percent annual growth rate over the next decade, pushing healthcare spending as a share of GDP from 17.4 percent today to almost 20 percent in 2024. With all of this growth, healthcare providers are under mounting pressures to control costs—and this cascades across all operational areas, including data loss prevention.
2. Data Explosion. The volumes of healthcare data being created today is almost incomprehensible. Today, 2.5 quintillion terabytes of data are created and stored daily. With a 40 percent annual growth rate, this number will hit 3.5 quintillion terabytes this year. Among other reasons, the proliferation of devices and growth in Internet of Things (IoT) are contributing to the complexity managing all the data—at rest and in motion. These devices are not simply those used to treat and monitor patients, but wearables that capture every-day activities such as heart rate, exercise, blood pressure, sleep quality, and much more.
3. Integration and Intertwining of Systems. Though much work remains to be left on integrating all of the different systems involved in healthcare, interoperability of electronic health record (EHR) systems increases the complexity of protecting the data exchanged between each of them. Add the cloud—public, private, and hybrid—and the need for communications with external systems, and data protection becomes exponentially more difficult.
4. Omnichannel Interactions. Caregivers are inundated with applications, emails, patients, and other tasks, and the emergence of omnichannel, including mobile, heightens the need for data security and protection. Considering there are 165,000 health-related apps today, the criticality of data privacy and security becomes a vast undertaking. 2 Clearswift, All Rights Reserved
5. Patient Consumerization. Patients want to be empowered with self-service capabilities and have access to their health-related records. Their expectations are being set by the interactions patients have with non-healthcare providers. Activities range from scheduling appointments, to checking health status, to dietary and exercise planning and monitoring. The associated data demands require access to internal and external systems.
Regulations Drive Compliance Requirements
There are a number of different regulations that impact the privacy and security of healthcare data. These include Safe Harbor, the European Union Data Protection Directive 1998, Health Information Patient Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Electronic Communications Privacy Act, and the Health Information Technology for Economic and Clinical Health (HITECH) Act. The latest compliance directive is the latest evolution of the EU’s Data Protective Directive—or EU General Data Protection Regulation (GDPR)—that becomes law next year.
Potential threats covered by these regulations include factors such as critical data leakage to the Internet, accidental disclosures, advanced threats, and social network risks like social engineering and active links.
Noncompliance is an issue organizations must take seriously. For example, in the case of HIPAA alone this year, federal regulators have issued 12 enforcement actions—and indications are enforcement will continue to ramp up, including the fines associated with each infraction. Additionally, the financial repercussions are much broader in scope, including separate class action lawsuits related to data breaches, as well as the requisite enhancements to data security infrastructure that follow breaches and enforcement actions. These can easily tally into the tens of millions of dollars.
4 Data Loss Prevention Recommendations
Healthcare organizations must carefully weigh their cybersecurity risks with their business requirements when evaluating solutions to protect data privacy and security and ensure regulatory compliance. The following are some recommendations they should heed:
1. Highest Level of Commonality. Many of the regulations overlap. The most effective data privacy and security solution should employ the highest level of commonality, which minimizes repetition of tasks and inefficiencies. When this does not occur, potential impact includes a degradation in the performance of applications and systems. In the case of healthcare, this affects everything from normal administrative tasks to actual healthcare delivery.
2. Adaptive Security without Disruption. An optimized adaptive DLP strategy increases the protection of confidential data without delaying and disrupting critical healthcare services. New inspection and redaction technologies can intelligently enforce regulatory protection policies in real time. All of this is done uniquely based on the type information and contextual-sharing relationship. Additionally, automated sanitization can prevent the loss of hidden information and related metadata in health records. This leaves the authorized information to continue without costly false positives and operational- and efficiency-crippling quarantines.
3 Clearswift, All Rights Reserved 3. “Boil-the- Ocean” Models. An effective data loss prevention (DLP) framework and solution does not require excessive periods of upfront analysis to provide visibility of probably data loss exceptions. Those DLP solutions that “boil the ocean” operate on a negative business proposition (viz., cost mitigation in the event of a data breach or loss) rather than as a positive business contribution. Here, progressive enforcement that enables new policies to be run in monitoring mode alongside similar policies that enforce data movement is key.
4. Crisis Management. Healthcare organizations must plan for contingencies in the event of unforeseen data breaches or losses. Crisis prevention is a non-negotiable requirement. Healthcare providers must proactively remediate issues before they happen. This includes immediate visibility into a data breach or loss by department and individual and comprehensive understanding of governance at each endpoint and per user.
For an overview of data protection and privacy in healthcare, download our white paper, “Realization of Regulatory Compliance within Commercial Healthcare: Clearswift Best Practice Guidance for Critical Information Protection.”
By: Scott Kosciuk, Clearswift