Health care data breaches are surging these days, with the first half of 2019 seeing 32 million patient records illicitly accessed. That’s more than double 2018’s total for the entire year. And 2018’s number was three times that of 2017.
Last year’s largest breach? The American Medical Collection Agency (AMCA) incident, which went on for eight months and only came to light thanks to an 8-K filing by the U.S. Securities and Exchange Commission. The breach affected a staggering 25 million patients (including 12 million from partner Quest Diagnostics and nearly 8 million LapCorp patients). The breached data included a mixed bag of personal health information (PHI), payment card industry (PCI) information, and personally identifiable information (PII). Investigations are ongoing and lawsuits are in the air.
But this incident, as the numbers clearly show, was just one of many. Indeed, according to the authors of a recent LexisNexis report, many U.S. hospitals and health care organizations are essentially a “data breach waiting to happen.”
The health care industry’s data protection problem
There are good reasons why the frequency of health care data breaches is on such a startling upward trajectory. The industry is relatively ripe for the plucking in terms of data theft by hackers – not only do more than half of health care providers still use outdated Windows 7 operating systems that don’t receive security updates or patches, but a large number of providers also rely on outdated legacy patient identification management tools.
Remember that LexisNexis report we mentioned earlier? It also found that:
- 93 percent of providers use username-password authentication in their online patient portals
- 39 percent of providers use knowledge-based authentication (Q&A’s)
- 38 percent use email verification
- 29 percent use phone verification
- 65 percent of providers employ multi-factor authentication (MFA), a standard cybersecurity measure
- 6 percent of those surveyed were extremely concerned about security issues
Although just six percent of those polled indicated that leaky security was a big concern, authorities such as the U.S. Government Accountability Office have clearly stated the measures employed by most health care organizations above are simply not enough. Knowledge-based authentication, for example, such as asking basic questions on birthdays or mother’s maiden names can be compromised relatively easily by a hacker with stolen data.
Getting compliant isn’t always easy
Adding to the complexity of the data protection issue is that, for the health system to work, PHI, PII, and PCI is regularly shared between various health care entities. Consider the information sharing required in a relatively common scenario of someone visiting their GP, getting lab work done, getting referred to a specialist at another health organization, and then submitting claims for all these activities to their insurance provider. It’s a lot.
Sharing requirements like these are a big reason why the industry is governed by strict data privacy standards like the Health Insurance Portability and Accountability Act (HIPAA), a 1996 law meant to safeguard PHI. The problem, however, is that HIPAA violations are not exactly rare: The HIPAA Journal says the number of HIPAA penalties has gone up virtually every year since 2008 (although this could also be attributed to heavier enforcement).
The HIPAA Journal goes on to explain that HIPAA rules can be breached in hundreds of ways, with some of the most common violations beings:
- Improper disposal of PHI
- Improper PHI disclosures
- Unauthorized PHI access
- Failing to perform an organization-wide risk analysis
- Failing to monitor or maintain PHI access logs
- Failing to provide patients with their own PHI upon request
It’s important to note, however, that this isn’t just a private-sector problem, and that data protection and compliance issues even extend to public health agencies. The Centers for Medicare and Medicaid Services, for example, was recently called out by the Accountability Office for using knowledge-based authentication despite this being a clear violation of NIST health IT guidelines.
Why R&D companies may have the most to lose
It’s not just public health agencies or health care organizations who must take data protection seriously, though. Medical research and development companies like biotechnology, pharmaceutical, and medical device manufacturers all live and die by the integrity (and value) of their intellectual property (IP), along with the ability to share big data or combine datasets with partners and collaborators. That’s not even mentioning the fact that medical research data often involves private patient data, and that failing to adequately protect PHI in a medical research scenario inevitably leaves patients less willing to participate in trials.
But it’s not always a simple task. Take, for example, medical research on sudden cardiac arrest (SCA) incidents, which account for 20 percent of all natural deaths in Europe and have just a seven percent survival rate. To improve these numbers Europe devised the ESCAPE-NET consortium, meant to combine SCA datasets from around the world including information on patient genetics, medical history, even personal socio-economic information. All this data must be shared among a litany of different countries and organizations.
Add to this the sheer altitude of the stakes involved: IP theft among research-heavy companies in industries like pharmaceuticals or biotech can actually be an existential threat to the organization, simply due to the massive amounts of cash involved. Deloitte says the average cost of bringing a pharma or biotech product to market was a massive $1.99B in 2017 – yet in 2015, nearly two-thirds of pharma companies reported data breaches.
How one US health insurer stays compliant
But keeping all that data private in such a fast-moving and complex industry is an incredibly complex challenge – especially for smaller organizations delivering on-the-ground, day-to-day health care. “I think they do a fine job, but it’s also important to remember these organizations are primarily focused on delivering the best health care possible,” explains an information security director at a U.S.-based health care insurance company (and Titus client). “I’ve got a friend who is a doctor, who says if he’s got a patient in trouble he’ll put their records upon the Jumbotron if it’ll save their life. So there’s a little bit of a different mentality there.
“But it’s probably an area that could be improved from a larger company perspective. Part of that is trading off the cost of delivering positive health outcomes at a faster pace with the cost of a robust, secure, security program. Those two things can be hard to do together. ”Authorities such as the U.S. Government Accountability Office have clearly stated the measures employed by most health care organizations above are simply not enoughTweet this
Being a health care insurance provider, the company is regulated by several bodies including the Centers for Medicaid and Medicare Services (CMS) and state insurance offices. “We don’t have the luxury of not being fully compliant,” says the director, adding his company uses a combination of technologies and best practices to keep its data locked down including machine learning, multi-factor authentication, and least privilege permissions.
“You focus on things like What are the key data sources? You ensure they’re only in your production systems and that all your analytics are done with synthetic data and not primary data,” explains the director, whose company uses Titus technology to help identify and classify sensitive data and locate where it resides in their systems. “You make sure you have robust analytic models that let you understand the movement of data across your network. And then one of the most critical things is managing your access policies appropriately, to ensure only the right people have access.”
Time for an industry intervention?
They say that PHI is the illicit data market’s golden goose: whereas social security or credit card numbers are worth a paltry few cents each on the black market, PHI data and electronic medical records are many orders of magnitude more valuable. That’s why health care organizations, medical R&D-driven organizations, and public health agencies all require a clear and consistent way of identifying data sensitivity and determining proper handling. Without this, consistently effective and secure information sharing among what can be dozens of organizations at a time is little more than a pipe dream.
Luckily, data protection software exists that helps automatically identify PII, PHI, PCI and other sensitive nuggets of information within both structured and unstructured data. It also helps establish and enforce a uniform system of classifications and markings to documents and emails, lowering the burden on front-line staff who likely don’t have the bandwidth to manually check for sensitive data when with every email or shared document.
Good data security software uses machine learning and neural networks to not only leverage the content of documents and emails itself, but also context, categorization, and user attributes to ensure only the right people can access the right information – and that those people then share the information exactly according to policy. And because lost mobile devices are the cause of one-third of all health care data breaches, data protection software stores all sensitive information on the device in an encrypted container (sensitive information can also be automatically deleted after a certain time period or if the user strays outside the permitted geographic area).
Delivering faster, better health outcomes while keeping data private will always be a challenge for health care organizations. At a time when data privacy and protection is more important than ever from regulatory, financial and reputational points of view, health care organizations need to take data privacy seriously – or risk the consequences.
