Web Exclusive

Four Data Privacy Threats to Address Now
By Isaac Kohen

In the digital age, quality patient care is often synonymous with the effective implementation of technological advancements. HIT budgets reflect this shift, increasing nearly 9% in 2019, as everything from EMRs to artificial intelligence and automation reorient the sector.

With these advancements, health care companies are collecting more patient data than ever before. By 2027, health care companies are expected to spend $9.3 billion on data storage, up from just $2.4 billion in 2018. Unfortunately, protecting that information has been a continual and costly struggle for health care providers, collectively costing the industry $4 billion last year.

Both for the bottom line and patient well-being, health care providers need to protect data more effectively, a big job that can feel both overwhelming and impossible. However, some risks are now more prescient than others. Here’s what health care providers need to look out for.

Accidental data sharing. Health care companies collect incredible amounts of patient information, and a litany of personnel routinely interact with these data. Inevitably, accidents happen, exposing patients’ protected health information in the process. At times, accidental sharing has accounted for the highest number of breaches, as everything from sharing patient information on personal devices to inputting protected health information (PHI) in the wrong files puts privacy at risk.

Fortunately, providers aren’t powerless to prevent these breaches. Today’s software solutions equip companies of all sizes to take active steps to prevent employees, contractors, and anyone else accessing sensitive data from accidentally sharing this information. Specifically, that means doing the following:

• establishing clear data management practices and holding everyone accountable for their implementation;

• using software-driven automation to restrict employee access to PHI; and

• creating real-time alerts notifying employees or IT admins when data misuse is about to occur.

Malicious insider threats. Health care–related information has a ready market on the Dark Web, making it an attractive target for insiders willing to betray patient privacy to make an extra buck.

Unlike insiders who inadvertently expose patient data, Verizon’s 2019 Insider Threat Report notes that malicious insiders act with intentionality to “negatively affect the organization’s information.” To the untrained eye, these bad actors can be especially difficult to identify and stop.

For instance, a former employee for Lurie Children’s Hospital in Chicago accessed patient medical records, creating a costly data breach for the provider. Similarly, a Nebraska Medicine employee accessed patient medical records for more than three months, using his privileged user status to avoid detection.

Identifying and preventing malicious insider threats should be a top priority for providers in 2020, and the tools already exist to make this happen. That’s why HIPAA suggests implementing software that restricts data access, reducing data exposure and curtailing the opportunity for a breach. When coupled with endpoint data loss prevention software, health care providers can take meaningful steps to prevent malicious insiders from compromising patient data.

Third-party partnerships. Health care providers often employ a wide range of third-party partnerships that serve various patient needs. From lab work to equipment providers, these services can be both a boon to patient care and a significant vulnerability to data privacy.

In January 2019, third-party partnerships compromised 100,000 patient records. While it was noteworthy at the time, the number was dwarfed in June 2019 when Quest Diagnostics, a clinical laboratory service, experienced a data breach compromising nearly 12 million patients when a vendor breach at its billing contractor, the American Medical Collection Agency, exposed patient information.

In total, third-party vendors account for 20% of health care data breaches, a reality that should encourage every provider to reassess their partnerships with data privacy in mind.

Ransomware attacks. Ransomware made a shocking and unwelcome return in 2019, disabling 966 government agencies, educational institutions, and health care providers. In virtually every sector, ransomware attacks are on the rise, a reality that is playing out at hospitals and medical practices around the world.

Cybercriminals, looking to capitalize on the urgency associated with health care data, are targeting providers hoping for a big payout. As a result, some emergency departments are unable to treat patients, doctors are working from paper charts, and, according to one study, more people are dying from heart attacks.

While ransomware can feel inevitable and invincible, in reality, companies can protect themselves against this malware by closing off easily available access points. Updating software, training employees not to engage in e-mail scams, and other simple security measures can go a long way toward reducing the likelihood of a costly ransomware attack.

What Now?
Today’s ever-expanding threat landscape poses a real risk to health care companies who will only collect more patient data in the years ahead. However, rather than being overwhelmed by the incredible task of protecting patients’ information, every provider can take meaningful steps today to improve their defensive posture.

To some extent, establishing, communicating, and enforcing data management standards can help mitigate the risk of insider data exposure. At the same time, health care providers should turn to software solutions that automate data protection standards, helping IT admins identify risks, uphold data management standards, and prevent patient information from leaving the network.

As breaches become increasingly prevalent and exponentially expensive, getting this right should be a top priority. By controlling the controllables and managing in-house risks, health care providers can eliminate significant threats to data security. In doing so, they will apply their industry’s guiding principle to data collecting and security: first do no harm.

— Isaac Kohen is vice president of R&D of Teramind, a global provider of employee monitoring, insider threat detection, and data loss prevention solutions. He recently authored the e-book #Privacy2020: Identifying, Managing and Preventing Insider Threats in a Privacy-First World. He is on Twitter @teramindco.