The healthcare industry has seen a significant change as of late. The increasing affordance of medical technology has simplified patient care by providing in-depth analytical metrics and lifesaving services. However, the increasing digitization of the healthcare sector has seen it become a frequent target for cybercriminals. In an age where data has been dubbed the ‘new gold’, personal health information (PHI) has immense value due to its substantial biographical detail. Between the news of increasing COVID-19 related deaths, stressful lock-down situations, furloughed workers, and rising unemployment, the last thing that healthcare businesses need to deal with is a cyberattack.
It is for this reason that enterprises operating within the healthcare vertical are subjected to additional regulatory frameworks. The most prominent of these statutes is the Health Insurance Portability and Accountability Act (HIPAA) that mandates a national standard for protecting crucial health information by addressing the technical and non-technical safeguards that organizations must put in place to secure individuals’ “electronic protected health information”. Furthermore, there’s a law called the “Public Readiness and Preparedness Act” (aka PREP Act) which protects businesses from lawsuits and other product-liability claims when they step up to help make products that are in dire need, such as medical supplies or personal protective equipment (PPEs) during a pandemic.
In addition to the PREP Act, there needs to be a law that adds a legal protection layer for businesses and organizations from cyberattacks that happen during a pandemic. The law should increase and enforce the maximum penalty that a bad actor or hacker may receive if they engage in attacks that negatively impact an organization during such unprecedented events.
The stakes are high, and as with the Magellan Ransomware Attack of April 2020, exfiltrated records included personal information such as name, address, Social Security numbers, or Taxpayer IDs. This level of personal detail exposed may have long term impacts on individuals, not to mention possible delays in medical service, when every moment matters during the pandemic. If this data were anonymized, the unauthorized actor would have exfiltrated valueless data – nothing that would warrant a data breach notification to go out to hundreds of thousands (or millions) of individuals.
Of course, organizations can become more secure by deploying modern security technology to protect sensitive data. Anonymizing or pseudonymizing sensitive data with protection methods like tokenization, format-preserving encryption or data masking are techniques in which organizations can help themselves be less of a target to unauthorized actors. Compliancy requirements for data privacy laws and data security standards – including GDPR, CCPA, PCI DSS, HIPAA – all require some form of sensitive data protection so by deploying a comprehensive data security strategy, organizations can better protect and prioritize data across the board.