And, as the statistics show, one of the most successful paths to stealing that data is to dupe employees.
“Hackers are generally efficient – they look for the easiest path to exploit,” Berger said. “Unfortunately today, the weakest link is the employee population and their lack of security awareness. Phishing attacks are disturbingly successful. And it only takes one employee to get duped for the hacker possibly to gain their credentials and pivot to exploiting a database of PHI.”
Human weakness is not confined to the healthcare field, of course. But as Mattsson noted, “healthcare is unique in that there are a greater number of people who come in contact with sensitive information during the course of normal business operations than in other industries.”
Those can include office staff, nurses, interns, doctors, specialists, lab technicians, pharmacists, billing staff, insurance processors and more. Beyond that, medical records come in multiple forms – lab test results to X-rays, prescription labels etc.
“So, when you combine the number of people involved with handling multiple forms of PHI records, along with the immaturity of the data security systems and practices that are in place, there are so many opportunities for mistakes or intentional breaches to take place,” Mattsson said.
Does that mean better training is the only path to better security?
Lieberman is dubious. “I'm not a big believer in security awareness training as an effective security countermeasure,” he said. “But having clear, one-page policies and enforcing them with employees, starting with the CEO, is an important piece of privacy protection.”
CSO staffBerger said it comes down to the type of training. “We don't simply recommend cafeteria-style or even web-based training courses,” he said. “Real situational training is far more effective. We recommend running mock phishing attacks, also known as social engineering testing. It is important to run them regularly over time, to establish benchmarks on which you can then measure improvements.”
Delmar said she believes it requires both training and enforcement. “Improving human security really starts with policies and awareness training and ends with enforcement of appropriate risk-based controls,” she said.
And experts agree that “control of the data” can help mitigate the human weakness risk.
“Understand who needs certain information, when, and under which circumstances,” said Deena Coffman, CEO of IDT911 Consulting.
Deena Coffman, CEO of IDT911 Consulting
Mattsson offered a list of measures organizations can take, including:
- Fine-grained de-identification of both PII (Personally Identifiable Information) and PHI.
- Fine-grained tokenization of PHI, to alleviate the need for plain-text data and exposure in-memory across the entire data flow.
- Strong credentials, including password improvement and rotation, plus separation of duties to prevent privileged users, such as database administrators or system administrators, from accessing sensitive data.
- Secure the data to the point that it is useless to a potential thief. “Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization,” he said.
However it is done, better security is crucial because the stakes are high. Besides potential fines for violations of the Health Insurance Portability and Accountability Act (HIPAA), Berger notes that the costs of a breach can include, “remediation, legal fees, reputational harm, and potential class-action liability.”
There is general support among experts for strict regulatory oversight – Lieberman said he thinks it ought to be, “enforced with random pop site visits with zero tolerance for infringement.”
[ How to fend off data breaches ]
And Delmar said stiff penalties for noncompliance, “can help get the attention of executives to see the value of making investments in security and risk management programs and monitoring systems.”
But Morris Panner, CEO of DICOM Grid, contends that HIPAA’s mixed messages leave organizations, “paralyzed for fear of committing an unwitting violation.
“On the one hand, we are encouraged to digitize health information, which makes it easier to share. On the other, we are penalized if we make errors in how we share information.”
Panner argued that regulators, “need to create appropriate safe harbors for sharing information.” The balance between sharing and securing information is hard, he acknowledged, “but right now we aren’t even trying.”