"We've had a breach."
It's a sentence nobody wants to hear, but breaches in the healthcare industry are unfortunately common. The Open Security Foundation reports that the healthcare industry has been responsible for 14 percent of all security breaches since 2005, and the Ponemon Institute indicates that healthcare breaches cost twice as much as retail-sector breaches.
The healthcare industry faces a perfect storm of factors that make breaches more likely. The industry is in charge of a range of personal health information (PHI) and is also notoriously slow to adopt leading practices and new technology. Large healthcare facilities typically have hundreds or thousands of employees and healthcare professionals with access to PHI; and smaller practitioners often lack the knowledge and resources to properly secure their networks and PHI.
In all, healthcare breaches cost $282 per record in lost customers, damage control, litigation and lost revenue. The healthcare sector spends $6 billion dollars every year to remediate breaches, and healthcare organizations with poor PHI management policies spend an average of $1 million per year dealing with data breaches.
As a healthcare organization, your most valuable assets are your patients' and customers' trust. Breaches directly undermine patient trust. As a result, the healthcare sector has the highest "churn" rate: 6.5 percent of patients leave after a breach, compared to the average of 3.6 percent.
Below are five key things healthcare organizations can do to prevent the next breach:
1. Find and Remove "Shadow Systems"
Almost every healthcare organization has a core system of records which is guarded by a small army of IT professionals. However, the physical therapy department may keep track of specialized patient data that your social services department doesn't. The pharmacy needs access to information that the marketing department doesn't.
While some organizations implement a complex scheme of roles and permissions, others simply create copies from the core systems. Each department maintains these separately. These are called "shadow systems."
Shadow systems can be sophisticated databases under high security or simple Excel spreadsheets on personal laptops. Without strict controls and supervision, they can multiply at an alarming rate when users create their own copies at any time, outside the security system.
Thus, despite the high security on the core systems, the security perimeter extends much further. It is vital to discover these shadow systems, determine how far your security perimeter extends, and delete unnecessary information.
2. Include Only Required Information in Reports
It is tempting to include more information than necessary in internal reports. Every time social security numbers or PHI appears in a report, you must invest additional resources to protect the report. In other words, sloppy reports cost money.
3. Find and Digitally Shred Unneeded Information
According to the Privacy Rights Clearinghouse, breaches occur in several common patterns.
A recent white paper by Identity Finder analyzed each breach and found that between 65 percent and 76 percent of the time, the breached information was stored or "at rest" when the breach occurred, and a third party only intercepted the data between 20 percent and 30 percent of the time.
These findings are consistent with nationalidwatch.org, which has discovered and documented more than 115 breaches from a range of industries. In each breach, there is a common theme: Old, forgotten data was accidentally exposed or lost. Old, forgotten data is dangerous data. In each case, the organization was completely unaware which computers and public servers had copies of personal information, until it was too late.
This "data blindness" is why you need to actively scan computers, servers and networks for sensitive personal information. You'll be surprised what you find, and where you find it. Once you know where these assets reside, you can take action to shred, redact, or protect the information.
4. The Human Element
Even the best IT security cannot prevent an employee's careless mistake. Healthcare organizations bear the weighty responsibility to train all staff in proper handling of PHI, especially in an age of Facebook, Twitter and smart phones. Though technology solutions are often essential, security is not only an "IT" thing. Privacy is not a product. Security is fundamentally a human system, which uses technological tools.
Create a culture of privacy and security by evaluating employees on their adherence to privacy and security practices during each performance review. If your organization requires employees to transmit PHI, make sure that the employees have a secure method (that is, not e-mail) to transfer files. Make sure that tools are easy to use and your employees are trained and encouraged to use them.
5. Authorized Access
PHI is called "sensitive information" for a reason; it's truly sensitive. Hundreds or even thousands of employees and healthcare professionals at a large hospital have access to PHI. A single employee who exercises bad judgment can cost the company millions of dollars. Consequently, access to PHI should be granted on a "need to know" basis, and access should be reviewed on a regular basis.
PHI is as valuable as gold, and as dangerous as uranium. Although your organization will never be able to completely eliminate the risk of a breach, taking these 5 common-sense steps will significantly reduce your potential liability. And like blood pressure, low liability is good for your health.
Todd Feinman is the CEO of Identity Finder. He has more than 15 years of experience in the security industry and is an internationally published author and media personality. He wrote Microsoft's own reference book on securing Windows and McGraw Hill's university textbook on managing the risks of electronic commerce. Recently he has appeared on many television and radio shows including FOXNews, FOX, NBC, ABC and WPIX. He has written dozens of articles and presented at numerous global conferences on the topics of identity theft, data leakage, security, and privacy. Todd spent ten years at PricewaterhouseCoopers, where he started as an ethical hacker breaking through the IT security of Fortune 100 companies and later took the role of director. Todd has an MBA from Harvard Business School.