Does Your Team Have These Modern Skills to Protect Healthcare Data?

The following is a guest article by Ameesh Divatia, Co-Founder and CEO at Baffle

Healthcare organizations were early adopters for protecting data in the modern environment — from stringent compliance regulations to the need to share health records between offices securely. However, protecting patient data has grown more complex in recent years with the influx of new regulations, cloud computing and myriad other factors.

The modern healthcare IT team must possess an array of emerging skills that allow practices to share data while ensuring that no one but the intended targets gain access to it. Let’s explore the evolution of data protection in the healthcare industry and how the best teams protect it.

Regulatory Compliance Mastery

Of course, HIPAA is the most prevalent regulation healthcare organizations must adhere to, but over the last decade or so, we are seeing an increase of rules related to patient data. For example, the 21st Century Cures Act, which grants patients free electronic access to their records, has forced healthcare providers to re-evaluate data sharing dramatically. HIPAA requires data to be secured unless certain exceptions arise, whereas the 21st Century Cures Act requires records to be shared with patients unless another set of exceptions appears. As a result, healthcare IT teams must be able to balance both regulations and stay in compliance.

Further complicating matters are individual state data privacy laws, such as the California Consumers Protection Act (CCPA), which lays out specific data privacy rules for companies that operate in the state or work with patients in the state. Six states have individual data privacy laws, while a handful of others are considering privacy legislation. 

As a result, healthcare organizations must partner with or have compliance experts on staff who understand how compliance laws intersect, keep tabs on proposed legislation that could impact their organization and create plans to address them. And the team that handles data must have extensive training to ensure their actions do not place the organization out of compliance.

Cloud Data Protection Expertise

Healthcare data is no longer locked away in an on-premises database, where it remains until the end of its lifecycle. Many healthcare organizations rely primarily on the cloud because it brings cost savings, enables effortless scalability and makes data more accessible (re: 21st Century Cures Act). Cloud storage also allows for easier disaster recovery and empowers healthcare providers to use their data for collaboration opportunities. Consider how data collection and sharing assisted in response to COVID-19.

However, a heavier reliance on the cloud can create vulnerabilities that cybercriminals can exploit. Many organizations fail to consider the details of what their cloud service provider (CSP) is responsible for protecting and what the user must protect — commonly known as a shared responsibility model. Organizations must understand that in most shared responsibility models, the CSP will protect the cloud’s infrastructure while the user is tasked with protecting the data stored within. 

To ensure continuous data protection, healthcare organizations must understand what protection methods to employ and when to employ them. They should know when and how to apply data masking, which permanently hides data values for data that will not be shared. For shared data, encryption, which replaces values with ciphertext, should be used for data that will be shared internally or externally. To further protect data, healthcare organizations should work with CSPs that offer Bring Your Own Key (BYOK) technology, which gives users control over the keys necessary to access data values. BYOK ensures that only authorized users can access sensitive health data. 

Data Breach Response and Mitigation Tactics

Over the last 15 years, data breaches have become a common and expensive reality for every industry, but because health data is considered the most valuable for cybercriminals, the healthcare industry is disproportionately impacted. A patient’s complete health record can be worth upwards of $1,000 on the black market, while Social Security numbers go for only $100 on average. As we mentioned, healthcare organizations must employ the appropriate protection methods, but they must also assemble a team that is ready to respond to a breach. And to be clear, a breach is, unfortunately, a certainty. The big question is this: How prepared will you be to mitigate the damage?

The key is speed, and a healthcare IT team should have a team assembled and trained extensively to act quickly and with clear direction. This means restricting data access and notifying the appropriate agencies and affected patients as soon as possible. This team should be prepared to assess what went wrong and determine which improvements can be made moving forward. It is also crucial to conduct repeated incident response training that incorporates best practices for responding to new attacks — cybercriminals are continuously devising new schemes to access data. 

Asset Management Proficiency

Data today is not static. It is shared, copied and saved in disparate locations — not to mention the mass migration of data from on-premises databases to cloud environments. Subsequently, healthcare IT teams must shift security priorities from the database perimeter to the individual record level. However, it gets even more granular because it is not enough to know where an asset is. You must also understand what is contained in each record to ensure you apply the appropriate protection methods. 

Healthcare organizations must invest in technology and training that allows IT teams to classify data accurately at the record level and keep stringent tabs on its movement. It is also critical to have controls that restrict movement, replication and storage of data for purposes that align with the multiple compliance regulations healthcare organizations must adhere to. 

Healthcare IT teams have a much steeper hill to climb than ever before, as data is more mobile, more valuable and under more regulatory scrutiny. Healthcare organizations should ensure their teams bring the aforementioned skills to the table but offer continued training to keep up with a data landscape that continues to evolve. While this is not an easy task, it is critical to ensuring compliance and maintaining reputational integrity. 

About Ameesh Divatia

Ameesh Divatia is the Co-Founder & CEO at Baffle, Inc., the easiest way to protect sensitive data. He has a proven track record of turning technologies that are difficult to build into successful businesses, selling three companies for more than $425 million combined in the service provider and enterprise data center infrastructure market.

   

Categories