When the healthcare industry began — and eventually became further invested in — the transition from paper to electronic records, there were quite a few ripple effects, from increased patient engagement to improved efficiency. Some of the consequences, however, have been negative.
One of those, according to David Ting (CTO and Co-Founder, Tausight) is that “it caused us to let our guard down” from a data security standpoint. Before EHRs came along, “loss of patient records was never an issue,” he said during a recent discussion. Among other reasons, it’s far more noticeable if thousands of pounds of paper leave the hospital or office than an unencrypted laptop, which may contain tens of thousands of records.
Now, “you could lose millions of records on a thumb drive and not even notice it.”
It’s downright scary for patients and providers. For leaders, however, it’s unacceptable, he noted. “There has to be prioritization. And that means taking all of the necessary cyber-hygiene steps to take care of patient records.”
Unfortunately, that doesn’t seem to be the case, according to findings from recent research conducted by the Ponemon Institute, which was discussed by Ting and Larry Ponemon, PhD, during the webinar.
Statistically speaking
What they found is that the current technology stack doesn’t quite stack up — particularly when it comes to protecting ePHI.
Below are some findings from the report:
- Healthcare organizations experienced an average of 74 cyberattacks in the past 2 years. Nearly half (47 percent) of respondents say these cyberattacks resulted in the loss, theft or data breach of PHI.
- 58 percent said their organization is unable to determine how much PHI exists outside the EHR, where it is, and how it’s being accessed.
- 55 percent said the organization is at risk due to the excessive presence of PHI across the data center, endpoints, and email accounts.
Clearly, the tools being widely utilized “have difficulty protecting the enormous amount of PHI across these systems,” said Ponemon, who cited cloud migration and collaboration tools as some of the factors leading to higher security risks. “They’re not improving visibility to PHI.”
They’re also not acting quickly enough after an incident, according to the report, which found that it can take 80 days to recover data and remediate the consequences of a breach. The time required to assess the impact and fully disclose the breach was estimated at 76 days.
“These are large numbers,” noted Ponemon. And with health systems dealing with “constant leakage,” it has become imperative to take things up a notch. “There has to be more accountability.”
The challenge is that many organizations – particularly those from rural or smaller facilities – lack the in-house expertise needed to manage PHI and the budget needed to invest in technologies.
Maintain visibility
To Ting, however, that simply isn’t acceptable. “This is healthcare. Patients are trusting you with their care,” he said. Instead of adopting a ‘cross that bridge when you get to it’ approach, “there has to be a more conscientious effort to treat patient records as critically as we treat patients. There has to be a higher sense of responsibility.”
In addition, with the average cost of a breach hovering around $10M, it’s fiscally wise to invest in a better defense system, he stated. “When you see the size and scope of some of these breaches, you think, ‘that should’ve been stopped. They should’ve had better visibility.’”
Particularly in the healthcare environment, where records play such a critical role, not knowing for sure where data is being stored, who is using it and how can be extremely detrimental. “Getting visibility into all of that is really important,” Ting said. Without it, “your vulnerability increases.”
Tausight’s role
This is where Tausight can make an impact, he said, noting that the company was established to help cybersecurity teams isolate and identify PHI, especially in its unstructured form. “As we scrub machines, we find tons of sensitive data lying around. That has to be a priority.”
And yet, in the survey — which drew responses from more than 500 cybersecurity stakeholders — just 30 percent said their organizations have significant visibility into PHI located in the data center and endpoints.
According to Ting, that’s not going to cut it. “You’re counting on access controls and permissions you set on your computer systems to secure that,” he said. “We know admin credentials can be compromised and user credentials can be phished.” And even if just 5 to 7 percent of phishing attempts are successful, that can lead to significant loss, especially when users carry as many as 30,000 stale records in their accounts. “All of these are things we can reduce through better hygiene and more awareness.”
Tausight’s platform, he said, leverages a patented algorithm to find ePHI on devices, data stores, and cloud assets, and can be integrated with other systems to more effectively safeguard data. This is especially important, as healthcare has the longest dwell time of any vertical, meaning attackers can do a lot of data reconnaissance before their presence is even detected.
Reducing the surface
“We need to be better at tracking so we can reduce that surface area,” he said. “That goes back to: what’s my retention policy? How do I get to a least user privileged model so that I don’t have large-scale sharing of certain accounts or large-scale access by administrators?”
Without visibility, “you have nowhere to start,” Ting noted, which can be very problematic. “What’s my riskiest machine? Is it the laptop sitting on someone’s desk? Is it that desktop machine being used in the hallway?” On the other hand, having knowledge and visibility can help security teams understand where the biggest risks lie and prioritize accordingly.
Put simply, “you have to know where sensitive data live. You have to be accountable for whether everything is encrypted or follows the NIST framework,” he said. “And you need to treat data assets like physical assets.”
Or perhaps, conduct your security program with even more vigilance, given the nature of cyberattacks. “You can always rebuild a computer; you can’t rebuild your data,” Ting concluded. “You can’t pull it back once it’s stolen. That’s what we need to think about if we’re really caring about how we treat our patients.”
To view the archive of this webinar — Exploring the ePHI Cyber Crisis & How to Fix It (Sponsored by Tausight) — please click here.
Share Your Thoughts
You must be logged in to post a comment.