Personal health information (PHI) is among the most sensitive data stored by any organization. It is classified by the GDPR as “special category” data which must be treated with greater care as it could create “significant risks to the individual’s fundamental rights and freedoms.” This puts extra pressure on healthcare organizations (HCOs)—not only to comply with laws like the EU GDPR and HIPAA in the US, but to optimize security in order to protect and deliver successful digital transformation initiatives.
However, their job is made increasingly challenging by the growing threat from malicious third parties. In this context, protecting data at source is way more than a nice-to-have. It should be top of the CIO’s to-do list.
Protecting digital transformation
Western HCOs are in a tricky position. Still struggling to clear COVID-era appointment backlogs and cope with the pressures of an ageing population, their resources are increasingly stretched. That makes IT modernization efforts more important than ever to enhance staff productivity, process efficiencies and the patient experience. But serious data breaches and other cyber-threats can delay and derail critical digital transformation projects.
Unfortunately, as HCOs turn to digital to improve patient care, they may unwittingly open the door to threat actors by expanding the cyber-attack surface. Compromised user credentials are an ever-present risk. One analysis of log-ins for sale on the dark web found that HCOs had the highest average number of stolen credentials per company (485).
Given how easy it is to use these credentials to compromise a healthcare IT system, it’s perhaps not surprising that threat activity is surging in the sector. According to a report on the healthcare industry from EU security agency ENISA, between January 2021 and March 2023, ransomware (54%) and “data-related threats” (46%) were the top two health sector threats in the region. Yet even ransomware today contains an element of data risk, as most groups use “double extortion” techniques whereby they first steal sensitive data to hold to ransom, before encrypting it. Unfortunately, only 27% of surveyed HCOs have a dedicated ransomware defence program, ENISA said. Patient data, including electronic health records (EHRs), were the most targeted assets (30%).
Things aren’t much better in the US. In 2022, there were 707 data breaches of 500 or more records, second only to the all-time high of 717 a year previously. Nearly 52 million health records were compromised as a result, including 11 data breaches of more than one million records and a further 14 data breaches of over 500,000 records.
Counting the cost
All of this comes at a tremendous financial and reputational cost to the organizations affected. IBM calculates the sector as experiencing the highest cost per data breach of any vertical: $10.9m versus an average of $4.45m across all sectors. This is money that could be much better spent delivering improved outcomes for patients.
Worse still, data breach incidents can lead to serious system outages which could last for several weeks. This is a major risk to patient care. In one study, researchers found data breaches resulted in an increase in 30-day mortality rate for heart attacks that translated to 36 additional deaths per 10,000 heart attacks annually.
Security starts with data
In this context, it’s vital that HCOs improve their cybersecurity—not just to avoid risk but to deliver digital transformation more successfully, for better patient care. But given the continued compromise of credentials and the relatively large cyber-attack surface that many healthcare IT teams must defend, it’s not practical to focus efforts on the network perimeter. Better monitoring of internal network traffic would help, but resources are limited and not all solutions are fit for purpose.
A more effective approach is to protect what really matters, the PHI itself, so that even if networks are compromised, the threat actors can’t do anything with the information they’ve accessed. This would also help to reduce the recovery time and cost, and ultimately limit the impact on patient care.
That’s why comforte recommends solutions like its Data Security Platform, which:
- Automatically and continuously discovers and classifies data, including PHI, wherever it is in the organization
- Offers a variety of technologies to protect that data, including format-preserving encryption (FPE) and tokenization
- Supports all major cloud platforms
- Can scale to support larger data volumes as the business grows
PHl is highly monetizable, often containing both financial, personal and potentially embarrassing medical details. That means it will remain a popular target, and important digital initiatives will remain imperilled. Against this backdrop, data-centric security is the best way for healthcare leaders to protect what they have, and build for tomorrow.