Mia Papanicolaou
Data Management – Recent hospital hackings expose need for stronger digital security in health care
April 18, 2016
By: Mia Papanicolaou
It’s no surprise that security breaches such as the Los Angeles hospital cyber-attack continue to take the medical industry by storm, exposing the need for even stronger security measures to protect sensitive patient data. With the medical/health care sector holding the dubious distinction of having the highest number of data breach incidents compared to other industries, data protection is becoming even more vital as patient information is moved from paper to digital storage.
While it’s true that the Los Angeles hospital incident involved certain IT systems being locked for ransom (rather than stolen), patient records were rendered inaccessible and the hospital had to revert to paper registrations and fax communication. Even if the hackers didn’t access or copy any information, the incident still put the hospital’s and patients’ data at risk.
In 2015, another cyber-attack occurred with the Anthem Inc. database breach, exposing key security vulnerabilities in the broader health care industry. In this attack, hackers were able to access up to 80 million records, many of which included personal data like Social Security numbers and street addresses. Health care continues to be a major target for cyber criminals because this sector is usually loaded with large amounts of data as compared to other industries. When a hacker is able to access patient data, they are not only getting millions of records, but they are also getting tons of personal and private data points that are highly valued on the black market.
A report by Dell Security Works claims the going rate for stolen health care data is 10 to 20 times the price of a stolen Master- Card account. Security breaches can be mitigated, or even avoided altogether, if stronger security is put in place at all points where patient data is stored, processed and sent to the patients themselves. Four tips for health care organizations to consider when strengthening their data security include:
• Secure patient documents.Moving patient documents from paper to digital is inevitable, and does not mean that these documents have to be at increased risk of compromise. Patient registrations, insurance claims, medical history forms and lab reports are all documents that must be stored, but also shared with other participants in the health care network, as well as with the patients themselves. These documents must be protected at all points in the digital journey, using a combination of encryption, password protection, network security and access control.
• Use multiple layers of protection.One or two layers of protection in today’s digital world are simply not enough. When considering a document protection solution, make sure it provides multiple layers of protection, beyond network level security (firewalls) and encryption at the database level. Consider implementing additional security layers that encrypt and protect each individual patient document regardless of where it happens to be — stored in a database, traveling via the Internet or saved on a patient’s own computer.
• Use cutting edge security technology.
Ensure that security tools, practices and controls are up to date. Self-audit and test controls regularly. Use automated tools such as vulnerability scanners and employ intrusion detection on both the network as well as internal systems. It is important to identify and stop potential attacks as soon as they begin, to protect patient data that resides in document storage systems.
• Provide ongoing employee education.The one point of failure that the best technology cannot protect against is the weak link in the chain — humans. If there isn’t enough training on what could happen, and on how to recognize and avoid being the point of failure, the easiest way for hackers to gain access is by compromising an employee’s access. Be sure that all employees understand and operate by the organization’s security and compliance measures. Security education should be ongoing and include providing the latest updates on potential threats and new trends. This training is also required in order to be HIPAA compliant. It is vital that health care organizations start to take even stronger measures to address the security gaps in their operations, including deploying tougher data protection solutions. The good news is there are new and innovative solutions in the marketplace that can help health care organizations to better fortify all of their digital documentation.
Mia Papanicolaou is chief operations officer for document security specialist Striata Inc. Papanicolaou joined Striata in 2006, and having worked in Africa and the U.K., now heads up North, Central and South American operations. Papanicolaou is a regular speaker on her areas of expertise — secure electronic document delivery and email marketing.
It’s no surprise that security breaches such as the Los Angeles hospital cyber-attack continue to take the medical industry by storm, exposing the need for even stronger security measures to protect sensitive patient data. With the medical/health care sector holding the dubious distinction of having the highest number of data breach incidents compared to other industries, data protection is becoming even more vital as patient information is moved from paper to digital storage.
While it’s true that the Los Angeles hospital incident involved certain IT systems being locked for ransom (rather than stolen), patient records were rendered inaccessible and the hospital had to revert to paper registrations and fax communication. Even if the hackers didn’t access or copy any information, the incident still put the hospital’s and patients’ data at risk.
In 2015, another cyber-attack occurred with the Anthem Inc. database breach, exposing key security vulnerabilities in the broader health care industry. In this attack, hackers were able to access up to 80 million records, many of which included personal data like Social Security numbers and street addresses. Health care continues to be a major target for cyber criminals because this sector is usually loaded with large amounts of data as compared to other industries. When a hacker is able to access patient data, they are not only getting millions of records, but they are also getting tons of personal and private data points that are highly valued on the black market.
A report by Dell Security Works claims the going rate for stolen health care data is 10 to 20 times the price of a stolen Master- Card account. Security breaches can be mitigated, or even avoided altogether, if stronger security is put in place at all points where patient data is stored, processed and sent to the patients themselves. Four tips for health care organizations to consider when strengthening their data security include:
• Secure patient documents.Moving patient documents from paper to digital is inevitable, and does not mean that these documents have to be at increased risk of compromise. Patient registrations, insurance claims, medical history forms and lab reports are all documents that must be stored, but also shared with other participants in the health care network, as well as with the patients themselves. These documents must be protected at all points in the digital journey, using a combination of encryption, password protection, network security and access control.
• Use multiple layers of protection.One or two layers of protection in today’s digital world are simply not enough. When considering a document protection solution, make sure it provides multiple layers of protection, beyond network level security (firewalls) and encryption at the database level. Consider implementing additional security layers that encrypt and protect each individual patient document regardless of where it happens to be — stored in a database, traveling via the Internet or saved on a patient’s own computer.
• Use cutting edge security technology.
Ensure that security tools, practices and controls are up to date. Self-audit and test controls regularly. Use automated tools such as vulnerability scanners and employ intrusion detection on both the network as well as internal systems. It is important to identify and stop potential attacks as soon as they begin, to protect patient data that resides in document storage systems.
• Provide ongoing employee education.The one point of failure that the best technology cannot protect against is the weak link in the chain — humans. If there isn’t enough training on what could happen, and on how to recognize and avoid being the point of failure, the easiest way for hackers to gain access is by compromising an employee’s access. Be sure that all employees understand and operate by the organization’s security and compliance measures. Security education should be ongoing and include providing the latest updates on potential threats and new trends. This training is also required in order to be HIPAA compliant. It is vital that health care organizations start to take even stronger measures to address the security gaps in their operations, including deploying tougher data protection solutions. The good news is there are new and innovative solutions in the marketplace that can help health care organizations to better fortify all of their digital documentation.
Mia Papanicolaou is chief operations officer for document security specialist Striata Inc. Papanicolaou joined Striata in 2006, and having worked in Africa and the U.K., now heads up North, Central and South American operations. Papanicolaou is a regular speaker on her areas of expertise — secure electronic document delivery and email marketing.