Why Is Medical Data So Difficult to Protect?
Breaches and identity theft involving medical data are on the rise. According to the Ponemon Institute, criminal attacks in health care have increased by 125 percent since 2010 and are now the leading cause of medical data breaches. The study also found that 91 percent of health care organizations have experienced at least one data breach, costing more than $2 million on average per organization. The American Action Forum estimated that medical breaches have cost the U.S. health care system more than $50 billion since 2009.
Medical records are extremely valuable to thieves, with such data sold for an average of $363 per record, which is much higher than for credit card data. Additionally, compromised bank cards can quickly be canceled, thus limiting the potential damage, whereas medical data cannot be so easily destroyed.
Medical Information Is Widely Shared
One factor that complicates the problem is that medical data passes through so many hands. Researchers at Carnegie Mellon University told The New York Times that a typical patient’s medical data can be accessed by at least 30 people and organizations, ranging from physicians to pharmacies, insurers and even pharmaceutical companies.
Whereas medical data was once stored in paper form, the increased use of electronic health records has vastly improved the ease with which data can be transmitted or accessed in storage. According to one recent report from the Information Security Media Group, 68 percent of patients stated they were not confident that their medical records were safe from loss or theft.
Use the Necessary Access Control Safeguards
Since not all medical breaches are caused by theft — they could be the result of an inadvertent error, for example — every organization should put in place stringent policies and procedures governing access to sensitive data. These measures should ensure that all staff are thoroughly trained in what is expected of them and implement sanctions for noncompliance.
This requirement is included in HIPAA’s security rule, which also mandates that organizations periodically assess the effectiveness of those policies and procedures. Employees and partner organizations should be required to report any suspected or actual breaches they encounter so that swift action can be taken.
Organizations should also ensure they have appropriate technical safeguards in place to protect medical data. Role-based access controls should be implemented by all health care organizations that need to access data, and they must be regularly reviewed and audited. Strong authentication mechanisms will help to ensure only authorized parties can access sensitive medical data.
Access control technologies will help organizations pinpoint all those who have accessed data that has been breached no matter what entity within the health care sector they work for. Given the number of entities that need to access medical information, all data being transmitted should be encrypted.
Monitoring Technologies Lock Down Medical Data
Monitoring technologies that are capable of capturing all user data across all networks and applications should be implemented, including applying advanced analytics capabilities to sift through data feeds to uncover actionable intelligence. The system should provide real-time alerts for suspicious behavior so that action can be taken as quickly as possible. It should also record all data flows so that there is a trail that can be followed in the event of a data breach.
Since medical data is so valuable to thieves and the potential damage to individuals is so great, it is vital that controls and safeguards are in place to ensure data is protected throughout the health care ecosystem. This will make it much easier to investigate which party was responsible for the breach and therefore which organization is responsible for notifying the individuals whose data has been exposed.
With the financial impact of a breach so high, it is important that the party responsible be quickly and accurately identified.