Companies in the European Union – and any company anywhere with EU customers – are scrambling to meet the General Data Protection Regulation (GDPR) compliance deadlines. It’s just a matter of time before stricter privacy control legislation is imposed in other parts of the world.
The protection of personal data is an increasingly hot topic. With every news report of lost, stolen or hacked data, we all become a little more uneasy. Businesses ramp up their focus on protecting their clients, and customers focus on themselves.
With recent high-profile breaches of protected health information (PHI) at companies like Anthem and Allscripts, consumers are more worried than ever about their personal data being compromised. It seems to be a double-edged sword. Consumers are wary of sharing personal information – financial and health-related data top the list. Yet as patients, we expect health professionals to have complete access to our health profiles and background in order to make critical diagnoses, quickly.
The very nature of this information makes the healthcare industry a prime and profitable target for criminals. As you would expect, data security for the users of our dental and medical practice management software has always been a priority.
So naturally, I was intrigued by the findings of Verizon’s 2018 Protected Health Information (PHI) Data Breach Report. I came across a recent article by Suzanne Widup of Verizon’s Security Research Team summarizing findings from 1,368 incidents within the healthcare sector covering 27 countries. Interestingly…
- 58 % of incidents involved insiders. Whether driven by financial gain, such as tax fraud or opening lines of credit with stolen information (48 %); curiosity in looking up the personal records of celebrities or family members (31 %); or simple convenience (10 %), poor internal controls pose a major threat to an organization.
- 70 % of incidents involving malicious code within the healthcare sector were ransomware infections.
- 27 % of incidents related to PHI printed on paper. Cyber hacking may be in the news, but it seems real breach activity can also be found in the paper trail. Mailed or faxed prescription information, billing statements, copies of ID and insurance cards… these printed documents are commonly mis-delivered, lost or thrown away without shredding.
- 21 percent of incidents involved lost and stolen laptops containing unencrypted PHI.
At ABELSoft, our Privacy and Security Specialists are intimately involved at every step of product development and quality control. They champion control and vigilance with internal stakeholders as well as with every software user. Here are several short- and long-term measures suggested by Verizon and by our internal team to lessen the risk of some of these challenges.
a. Full Disk Encryption provides an effective and relatively low-cost method of keeping data out of the hands of criminals.
b. Integrated controls (like ABELSoft’s Authorization Manager, for example) define user roles and access requirements.
c. Documented policies and procedures that mandate routine monitoring of internal access demonstrate commitment to vigilance and repercussions.
d. Staff education regarding these policies is critical.
e. Preventive controls for defending against malware installation are key, as is minimizing the impact that ransomware could have against your network.
f. Unfortunately, ransomware attacks will not always be prevented. There are cases where protective technology gets breached and humans get misled. Good backups become the only recourse when preventative measures fail (other than paying the ransom or starting over, which are both unacceptable solutions).
g. Practices should work towards a reduction of paper-based PHI in their environments, and establish a holistic risk management program that protects not only ePHI, but also other sensitive data that they store and process.
As much as we like to think that we have become cyber-aware and digitally vigilant, we know that hackers and sophisticated criminals will try to get past our defenses. We cannot assume that our team members intuitively understand the importance of privacy and security of healthcare data. They must be educated, reminded and monitored to make sure that you remain the reader of cybercrime news reports… and not the subject.