healthcare data security

Small healthcare data breach, big impact

In 2016, we’ve seen more than 42 healthcare data breaches – and those only include ones that were reported. For example, you probably didn’t hear about the small breach that impacted the Catholic Health Care Services of the Archdiocese of Philadelphia. In 2014, at the aforementioned organization, more than 400 residents’ information was exposed after a phone was stolen, and no one knew much about it until the organization agreed to a $650,000 settlement in August 2016.

As the number of incidents goes up, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) wants to increase the number of cases they investigate. Until recently, the organization did not report or investigate healthcare breaches affecting fewer than 500 people, but now OCR is changing its tune.

Taking a more aggressive stance against breaches will not only help those hurt by each specific incident, but it will also teach other health organizations how they can better protect themselves. In the meantime, how can you make sure your company doesn’t end up on the OCR’s ever-growing list? Here are the questions you need to be asking:

Do you know what you’re trying to protect?

To safeguard the health records in your possession, you need to know exactly what is in that data. Patients’ information can include anything from Social Security and credit card numbers to insurance information, and of course, heath information, like biometric data.

It’s also important to know who has access to which information and when. Knowing this is a key factor in ensuring compliance and preventing a catastrophic breach.

Are you in compliance?  

Maintaining compliance isn’t always easy. Make sure you and your team are well versed in the rules and regulations that are in place to secure your data.

Many healthcare organizations are deploying independent systems to ensure they are complying with the Health Insurance Profitability and Accountability Act (HIPAA) and other industry protocols. To thwart risk, keep your team on the same page and set guidelines that will help you stay on track.

Who else is responsible for security?

According to a recent CIO article from Paddy Padmanabhan, “health systems have been tightening up IT security in the wake of unprecedented data breaches in 2015 and 2016, prompting hackers to focus on the next layer of vulnerability — BAs [business associates].” Vendors, or business associates, of healthcare providers pose a significant threat. Often overlooked, they also have access to sensitive data that can easily be exposed. The organization and its BAs must work together in the security ecosystem to ensure customers are protected.

So you don’t find your company on the OCR’s list of healthcare breaches, ask your team these three questions. The answers can help you prepare a security plan that will keep you, your customers and their data safe.

Take our pop quiz to find out what’s in your data and learn more about security and compliance.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.