Last year, two critical data protection issues arose for IT security professionals, according to Digital Guardian:
- The number of data breaches and cyberattacks increased throughout the year.
- Health and Human Services for Civil Rights (HHS OCR) continued to be more aggressive in enforcing HIPAA regulations.
Think of the data that is leaked from these sources: credit card numbers, Social Security numbers, credit scores. These vital and sensitive data points, when in the wrong hands, can mean your identity is at an extremely high risk of being stolen.
Those staggering numbers should make the ears of every healthcare executive perk up and start digging into the various ways organizations can take privacy and security around patient data as seriously as they do a patient’s life.
When you think about the sheer amount of personal data that is shared between you, your physician, and the insurance company, data breaches become even more of a personal threat and a scary reality.
Earlier this year, Forrester predicted that some 80-million breaches of patient information inside the nation’s health system will be as common as cold cafeteria coffee. And with health systems only growing in size, the risk is that much greater.
“For malicious attackers interested in ransom, blackmail and espionage, this healthcare data will be too tempting not to gain, and as a result, healthcare organizations must increase spending on security now,” the report found.
And as such, the threat of cybersecurity isn’t quelling anytime soon.
So what can the industry do to protect itself from the lurking threats?
For large organizations, hacking is top of mind for the IT department and keeping the critical infrastructure secure is a core responsibility. For small rural health systems, a data breach or hacking event can be detrimental to the livelihood of the community. The spectrum of damage, albeit widely varied, is irreversibly hindering and is a very real threat in the modern health system.
The Role of HIPAA in Keeping Our Data Safe
Hacking is the number one cause of HIPAA breaches — cited nearly 50 percent of the time this past April, and affecting over 90,000 individuals according to the HIPAA Journal. In relation to ransomware infections and phishing attacks, these breaches involved (what was supposed to be protected) health information.
Curbing these illegal tactics to access data — phishing, trolling, hacking, ransomware, spyware — should be at the forefront of the movement toward a more central role of data in the healthcare industry.
“Data security has become especially critical to the healthcare industry as patient privacy hinges on HIPAA compliance and secure adoption of electronic health records (EHR),” says Nate Lord at Digital Guardian.
Specific health information in electronic form is protected by a similar statute dubbed the Security Rule, and requires that HIPAA-covered entities:
- Ensure the confidentiality, integrity, and availability of all e-PHI (electronic patient health information) they create, receive, maintain, or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
“With the proper data protection strategies and solutions in place, healthcare organizations and providers can share data securely both inside and outside the organization, manage privileged users, and comply with monitoring and reporting regulations,” says Lord.
These kind of strategies need to secure, and according to Lord, enable:
- PHI/e-PHI beyond the baseline requirements for HIPAA compliance
- Healthcare organizations to ensure the security and availability of PHI to maintain the trust of healthcare professionals and patients
- Meet HIPAA and HITECH regulations for access, audit, and integrity controls including data transmission and device security
- Maintain greater visibility and control of sensitive data throughout the organization
“Harnessing the full potential of data requires developing an organization-wide data science strategy,” writes Kathrin M. Cresswell, Ph.D., David W. Bades, MD, MSc, and Aziz Sheikh, BSc, MBBS, MSc, MD. “Such strategies are now commonplace in most industries such as banking and retail.”
However, in healthcare, data protection protocols are a bit different due to the very sensitive nature of the data. In the same article published earlier this year in NEJM Catalyst, the writer’s point out where organizations are falling short to “aggregate data effectively to gain insights into wider care processes.”
Without a sound strategy in place, it’s merely impossible for any healthcare organization to get its data (and there’s lots of it) organized in a strategic way for individual clinicians to put it to use.
A comprehensive strategy should include:
- Quality of underlying data
- Effective ways to analyze the data
- A framework for keeping the data secure
It’s simply dangerous to do it any other way.
A well thought out strategy should be able to be precise and calculated on predicting outcomes and identifying improvement areas.
“Organizations without an effective data science strategy may never realize returns on their investment in electronic health records (EHRs), may have disillusioned physicians, and may face potentially catastrophic security risks from inadequate data protection,” according to Cresswell, Bades, and Sheikh. “The stakes are high.”
According to NEJM Catalyst consider the following key components when sitting down to draft out your organization’s data protection strategy:
- Organization-wide data repository
- Data integration across sources
- Governance frameworks to ensure data security
- Use and reuse of data to improve care
- Organizational capacity development
For more tips on how to make the most out of the data that swirls around in the healthcare ecosystem — in the safest and most effective ways possible — join us next Tuesday for an interactive discussion with industry experts.