05.22.2018

Protecting Your Patient’s PHI Data

For healthcare, there’s never been a more urgent time to reassess your cybersecurity and identity and access management strategy. Until recently, protected health information (PHI) was the most valuable merchandise on the Dark Web. Complete healthcare records were going for $75 to $100 dollars at the height of demand according to Institute for Critical Infrastructure Technology (ICIT). In fact, there’s so much PHI on the market now that the ICIT says prices have plummeted by about half.

But even at half-price, PHI can earn a hacker more than 10 times the price of financial data. PHI is desirable because it has a much longer shelf life than financial data. But the loss of PHI is not so easily discovered. Last year, ICIT reported that healthcare organizations took an average of 308 days to discover they had been breached.

A hacker is looking for access to privileged accounts. If he/she gets them, then finding the breach becomes extremely difficult. Administrators have extensive abilities to cover their tracks. That’s why protecting privileged accounts and confidential data becomes a great starting point.

Never under-estimate your cyber-enemy and malware. They are patient, and will likely suffer no ill consequences of getting caught.

Let’s take a look at a few tactics they use to breach your data:

  • Phishing – These are high-severity attacks.
  • Insider threats  – The best firewalls in the world don’t necessarily protect you from disgruntled employees and rogue administrators.
  • Human misconfiguration – Up to 75% of security breaches are from misconfigurations – a human error made by your staff.
  • Poorly secured web and/or SaaS apps – There’s simply not enough time or onsite expertise to verify or fix apps which are not properly secured or have too much access.

Healthcare companies report that the most significant barriers to their security programs are:

  1. Budget
  2. Staffing
  3. Skillsets

Healthcare Is Hit Hardest By Insider Threats

Healthcare organizations are particularly vulnerable to insider threats because of the large numbers of people who need access to their systems and the value of the data they possess. In fact, the Protenus Breach Barometer revealed that insider threats are responsible for 25 percent of security incidents at healthcare organizations, a rate far higher than that experienced by the financial sector (5 percent) or manufacturing industry (4 percent).

Insiders may not be employees, or even be on the healthcare organization’s property. Healthcare organizations need to allow patients, vendors, and third-party business partners to access their data stores. Those with direct access to PHI will be subject to HIPAA and BA requirements, but many parties may have incidental access and not be covered. For instance, a BA vendor may offshore some its work to a foreign entity that isn’t covered by or knowledgeable about HIPAA—but the healthcare organization that hired the BA is still responsible for its protection.

Be sure to read part two of our PHI series where we will cover ways to defend PHI data and mitigate attacks. For more information about how our Identity Access Management solutions can help your organization, contact us today.

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.