Technology innovations within the healthcare industry have risen exponentially in the last decade – consequentially, so have data breaches and theft. In 2013 alone, millions of patients’ protected health information (PHI) was compromised, costing healthcare organizations billions of dollars. Some of this information was even dated back decades prior, affecting individuals no longer affiliated with the compromised organizations.
The U.S. Department of Health & Human Services (HHS) “must post a list of breaches of unsecured protected health information affecting 500 or more individuals.” The organizational format of the breaches are now in a “new, more accessible format.” Indicative enough of the rise?
The three companies being featured on what some call the HHS “Wall of Shame” for the most individuals affected in their 2013 breaches are listed below. Can you note a common theme?
- Advocate Health and Hospitals Corporation (Advocate Medical Group) in Park Ridge, Illinois. 4,029,530 affected – the largest in Illinois history, July 2013. Theft of four un-encrypted laptops.
- Horizon Blue Cross Blue Shield of New Jersey headquarters in Newark, NJ. 839,711 affected, November 2013. Theft of two cable-locked laptops.
- AHMC Healthcare Inc. in Alhambra, California. 729,000 affected, October 2013. Theft of two laptops.
Of course, if you guessed theft of stolen devices, you are correct. Stolen devices were the most common cause of healthcare breaches in 2013.
Healthcare organizations store a hefty volume of sensitive PHI, from patient diagnoses to birth records to credit card numbers. Besides stolen devices, there are numerous other IT related causes of healthcare breaches. These include unauthorized access or disclosure to files, hacking, and lost devices. The truth of the matter is that even those organizations who have invested in large-scale Data Loss Prevention (DLP) frameworks cannot completely eliminate the risk of data breach by virtue of having a DLP technology in place. Data-in-Motion, Endpoint Protection, and Data-at-Rest technologies are an essential component of any DLP strategy, but are not the end-all, be-all solutions for a healthy Data Loss Prevention program.
Organizations who are not only concerned about protecting their patients’ data and adhering to compliance laws, but those who are determined to address data protection in a more proactive fashion, often employ repeatable, high frequency scans of their systems and applications where data resides to ensure they know where the sensitive data is, and that it’s protected adequately.
Our Sensitive Data Discovery solutions part of a healthy DLP diet. Like the large-scale DLP frameworks, our solutions are not an end-all, be-all product to solve all your DLP woes. Rather, they were designed to address a particularly difficult set of requirements within DLP programs that even the big DLP vendors fall short of fulfilling – Unstructured Data that is hiding in virtually every corner of your network. STEALTHbits solutions will agent-lessly scan your desktops, servers, and network file shares to identify and protect sensitive PHI information. Without the need to deploy agents, our software is up and running in minutes – not months, years, or potentially even never. It can be used tactically or strategically as well, allowing for ad hoc scanning of systems of particular interest, or scheduled, batch scanning of any number of machines on an interval of your choosing.
Our solutions employ a very logical workflow for the discovery of sensitive data:
- Identify where data exists
- Profile the Risk associated with each data location by pinpointing who has access to the data, what type of access they have, and what type of data exists there
- Leverage dozens of preconfigured criteria sets and the ability to create highly accurate, custom scans to find where sensitive data exists
- Secure the data through a variety of built-in actions and reporting capabilities
As an example, for institutions that have laptops leaving the organizations’ walls, a quick way to discover and protect the sensitive data that may be on those machines is often needed. Our solutions can be set to automatically scan these laptops prior to leaving the office to see if any sensitive data should be removed or encrypted.
Sources:
- http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
- http://www.healthcareinfosecurity.com/unencrypted-laptops-lead-to-mega-breach-a-6277
To contact STEALTHbits, click here
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Related Posts
- Sensitive Data Discovery for Compliance
- Using The Azure Information Protection (AIP) Scanner to Discover Sensitive Data
- Advanced Data Security Features for Azure SQL- Part 1: Data Discovery & Classification
- How to Protect Office 365 by Classifying Your Data with Microsoft’s AIP Labels
- 2019 Verizon DBIR Key Findings
- 5 Cybersecurity Trends for 2019
- EU GDPR: Paving the Way for New Privacy Laws?
- Announcing Stealthbits Activity Monitor 3.0 & StealthINTERCEPT 5.1
- Key Take Aways from the Ponemon 2018 Cost of Insider Threats Report
- Where Real Organizations Are with EU GDPR 10 Days from Launch
Leave a Reply