Friday Quick Take: Why Healthcare Providers are at Risk of Breach

Identity governance is foundational to any cybersecurity program. However, healthcare providers who only focus their identity governance program across applications, expose themselves to unnecessary risks. No matter how secure your database, sensitive data tends to escape and migrate to unsecured locations. This can lead to serious financial, operational and reputational consequences. For instance, a 2016 Ponemon study estimated the cost of a single health data breach to be $4 million. In the same research, more than 40% of healthcare provider organizations had five or more breaches over a 24-month period.

How Sensitive Data Ends up in Unsecure Locations

Not all breaches originate from an individual with malicious intent. In fact, sensitive data often gets exposed through legitimate, daily workflows. Consider the following examples:

Copied and Pasted Information

• A clinician conducting a research study may copy and paste medication administration or flowsheet data from the Electronic Health Records (EHR) system into an application such as Word, PowerPoint or Excel for tracking.
• An assistant may copy and paste historical data for the day's scheduled visits into Word for a provider's consumption outside of the EHR.

Data Exported for Reports

• The provider organization's Health Information Management department may run a real-time operational report for auditing purposes. The report may be later saved to a network drive for future reference.
• Overnight EHR batch reports may be run and distributed on a network drive or SharePoint site.

Scanned Documents

• Insurance cards and other paperwork may be scanned when the patient is admitted. Later, it may be downloaded by Patient Financial Services to work on the file.
• Occupational Health records not stored in an EHR may be scanned and stored in folders on a network drive.

How much risk does this pose to healthcare organizations? With an estimated 80% of all data stored in unsecured files, providers need an effective and efficient approach to mitigating risk of overexposing sensitive data to unauthorized individuals or groups-some of whom may have questionable or even malicious intent. To address this issue, providers must overcome several challenges:

• An Ocean of Data - Given the sheer volume of data files that likely reside in unsecured locations, providers need to target their approach. Without exercising precision, any effort to secure access to these files will be ineffective.
• Minimal Visibility - Provider organizations that do not know who is accessing what, simply cannot protect sensitive files from prying eyes.
• Lack of Data Insight - IT departments do not typically possess understanding of the data sets or who should have access to that information.

How do you avoid boiling the ocean to secure the sheer volume of data files within your organization? How might providers gain visibility into where the data resides and who is accessing the information? Finally, how might providers minimize impact on IT departments and increase the effectiveness of controlling access to data? These questions can be answered through a comprehensive identity governance solution that extends beyond systems and applications, to data files wherever they reside.

To get the answers to these questions, watch The Roadmap for Securing HIPAA-Related Content and Eliminating Compliance Gaps.