Security breaches in healthcare are rampant. Just one month into 2019 and the Office for Civil Rights (OCR) already has plenty of new Health Insurance Portability and Accountability Act (HIPAA) compliance violations to investigate. The well-known ‘wall of shame’ data breach portal shows that in January alone more than 350,000 individuals have had their protected health information (PHI) compromised by a data breach. The reported causes of these healthcare security breaches are: hacking, theft of lost/stolen devices, unauthorized access/disclosure, and improper disposal.
The Cost of a Healthcare Data Breach
Healthcare IT security continues to be a growing issue. Not only has the number of victims increased, so has the cost to those involved. According to Ponemon Institute, healthcare data breach costs are the highest of any industry at $408 per record. In 2018, we saw the largest fine ever handed out by the OCR since they began enforcing HIPAA compliance when health insurer Anthem Inc. was ordered to pay $16 million in October.
Why is healthcare hit so hard? Healthcare is data and all of it – personal, familial and financial information – is highly valued by cyber criminals. Add to that the organizations themselves are typically large, distributed, and often encumbered by legacy systems and/or inadequate security budgets, making them an easy target in too many cases.
Faced with these and other challenges, it is increasingly important that healthcare organizations make the most of their security investments. But that doesn’t that mean layering on every new tool is the right answer —for strong security or for compliance. Many organizations wrongly assume that deploying a host of security technologies inevitably ensures compliance when, in reality, the safer bet is to start with the data and knowing where it resides.
The Burden of Proof for HIPAA Compliance
To be HIPAA compliant, the Department of Health and Human Services (HHS) requires that covered entities specify “technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. It falls to healthcare organizations to supply proof of data encryption or proof of destruction in order to avoid being liable for non-compliance.
The challenge is that you can’t secure (in this case encrypt) or validate for devices you can’t see. Visibility into the health and efficacy of your endpoints is a key element in remaining HIPAA compliant. Identifying all of your endpoints —even those that are inactive — also happens to be the starting point to a solid security program too.
Devices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and HIPAA compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.
Would you be able to validate your data security at the exact moment of an incident? Quantify the extent of your organization’s dark endpoint problem by starting with this free assessment. And, if you would like more information on effective steps to protect your healthcare data, watch this webinar with Absolute and SANS Institute, 7 Steps to Protecting Data in the Era of Digital Care.