Why Healthcare Cybersecurity Starts Inside Out – Part II

Insiders are the culprit of nearly half of all healthcare data breaches in 2016. That’s according to a recent Wall Street Journal article. In response, I posted an outline of strategies for closing the gaps on data security.

In the previous discussion, we focused on shaping the mindset of the user (employees and contractors), which is much more than education. It’s about building awareness, motivating and enabling staff to take a proactive approach to protecting patients and their data. Then we turned our attention to how identity governance can be used to create a foundation for security and outlined seven key success factors.

While these are critical elements for minimizing the risks of exposing data and adhering to HIPAA regulations, healthcare CIOs, CISOs and other executives should also be concerned with an often-overlooked area— sensitive patient information stored in files as unstructured data.

Across all industries, it’s been estimated that approximately 80% of all data is unstructured. In healthcare, much of the discussion regarding this topic centers on how best to leverage the unstructured data that resides in the EHR for analytics purposes. But there is another side to the conversation, and it’s one that poses a real threat to healthcare data security.

As patient data and other sensitive information is extracted from structured applications and databases (e.g., moved out of Epic), it is often manipulated and saved in unstructured formats such as PDF, PowerPoint, Word, or Excel. Since end users have more flexibility in how files are managed, it is highly likely that multiple versions of a file will be created and stored in a variety of locations, some of which may not be secure. And with the rising trend of BYOD in healthcare, unstructured data can quickly find its way into compromising locations. Even if you’ve locked your doors, such exposure of sensitive data equates to leaving your valuables on the front porch.

As volume of unstructured data continues to increase, organizations have lost track of what data exists, where it is stored, who owns it and who has access to it. This presents a significant compliance issue, and exposes organizations to security vulnerabilities such as the loss of sensitive data, IP theft and even corporate espionage. Putting together a game plan for securing access to unstructured data requires extending identity governance to where it is stored. In a previous blog by Paul Trulove, he detailed three essential priorities that are worth repeating here:

  • Find sensitive data. Understanding where sensitive data is stored is the first step in protecting it. The only realistic way to find and keep track of the vast quantities of unstructured information is to leverage an automated solution that can scan all systems (on-premises or in the cloud), locate where sensitive information is being stored, and help move sensitive data to secure storage environments if necessary.
  • Design preventative controls for real-time governance. Installing preventative controls ensures the right people have access to sensitive data at the right time. Access to patient data can be a life-or-death matter in a healthcare organization. A strong preventive control framework helps to streamline delivery of access in a secure and compliant manner.
  • Implement detective controls. Reviewing and monitoring ongoing user access and activity for anomalies provides another layer of security. Proactive steps like periodically reviewing access can enable the organization to potentially eliminate dangerous situations and help prevent a data breach.

When you combine governing access to unstructured data, with organizational security awareness initiatives, and strong identity and data access governance strategies, healthcare providers have a far greater probability of minimizing the likelihood and impact of data breaches.

To learn how to empower your organization with identity, download our eBook, ‘Learn What Happens When Identity Meets Data.’

Read the first post in this series, ‘Why Healthcare Cybersecurity Starts Inside Out.’