Insiders are Putting Patient Data in Healthcare Technology at Risk

Despite the numerous data protection laws that govern the healthcare industry, which include HIPAA, PCI-DSS and GDPR, the number of data breaches continue to rise. This is probably no surprise to anyone, as healthcare service providers typically employ hundreds of thousands of staff members and hold vast amounts of confidential patient data across multiple platforms.

Of course, it’s not that healthcare employees are bad, but with so many employees and so much data, it’s only a matter of time until someone either accidentally leaks sensitive data or decides to access the data for more nefarious reasons.

According to a report by Verizon, 58% of security incidents in healthcare involved insiders. Perhaps a more alarming statistic is that one in five healthcare provider employees admit they would be willing to sell confidential patient data, according to a survey by Accenture.

At the end of the day, healthcare service providers need to step up their game when it comes to protecting their patients’ data, and it’s not just for the sake of the consumers, but also for themselves. After all, employees who inappropriately access or share confidential patient data may lose their jobs or professional licenses, be subject to fines, and even face time in jail.

On top of which, organizations who fail to comply with HIPAA, can be subject to fines up to $50,000 per violation, and as much as $500,000 per month for failing to comply with PCI DSS. And let’s not forget about GDPR, with maximum fines of €20 million (or 4% annual global turnover).

How can Healthcare Service Providers Improve Their Security Posture?

On-boarding: All employees and contractors must be subject to rigorous background checks to ensure that service providers know who should, and shouldn’t, have access to certain types of information (e.g. PHI, PCI, PII).

Security awareness training: All employees should be subject to at least a basic level of security awareness training. They must be trained to comply with the relevant regulations, and this training should be carried out at least once a year.

Restrict access to sensitive data: Access to sensitive data should be restricted based on the “principal of least privilege”, which stipulates that employees are only granted access to the data they need to adequately carry out their duties.

Network segmentation: Segregating parts of the network based on the type of data they store will make it a lot easier for service providers to keep their data secure.

Monitor user behavior: Service providers must have a means by which to detect, alert and report on suspicious user behavior. Using a sophisticated Data Security Platform that employs a DCAP strategy (Data-Centric Audit & Protection), organizations can monitor changes to access rights, files, folders, mailbox accounts, and more. Should an employee attempt to inappropriately access data, the administrators should be alerted in real-time, and be able to carry out a forensic investigation into who, what, where and when, the suspicious event(s) took place.

Only store data you absolutely need: Naturally, one of the best ways to avoid a data breach is to not store sensitive data in the first place. While is it often necessary to obtain information from patients, there are tools which can be used to help minimize the amount of data the providers need to store. For example, dual-tone multi-frequency (DTMF) masking solutions can be used to process credit card payments over the phone. Customers can enter their card number using their keypad, and the DTMF will mask the digits in real-time to ensure that the call center operative cannot record the number.

As the mantra goes, “security starts with data!”. In order to avoid lawsuits, costly fines and reputational damage, healthcare providers must focus more on the data itself. They need to know exactly what data they have, where the data is located, why they need it, and have an immutable record of when/why the data was accessed, and by who.