Data security in healthcare
31 May, 2021 6 min read
Data breaches in healthcare - a cause for concern
The healthcare industry is no stranger to cyber attacks and security breaches. In fact, according to IBM and the Ponemon Institute, biotech and pharma companies in particular, suffer more data breaches than any other industry. The scary part is, a whopping 53% of them result from malicious activity. Their recent study also found that the average cost of a data breach in the pharmaceutical industry was $5.06 million, behind only the broader healthcare industry, as well as energy and financial sectors.
COVID-19 ushers a new era of security breaches
With the arrival of COVID-19, and the urgency to develop tests, vaccines, and therapies, the rise in data breaches has skyrocketed. While the pharmaceutical industry did indeed make COVID-19 breakthroughs at an astounding rate, the amount of confirmed data breaches also increased by a staggering 58% over the same period.
The undeniable truth is, the pandemic has put the entire healthcare industry more firmly in the cross hairs of cyber criminals and state sponsored hacking groups which is giving rise to more data breaches:
- In July 2020, the UK’s National Cyber Security Centre (NCSC) helped to expose Russian attacks on COVID-19 vaccine development
- In October 2020, the US Cybersecurity and Infrastructure Security Agency (CISA), issued a warning advisory to pharmaceutical companies and research institutions, highlighting the need to improve IT security in order to mitigate data breaches.
- In December 2020, at least six pharmaceutical companies in the US., UK and South Korea who were working on COVID-19 treatments were targeted by North Korean hackers, according to the Wall Street Journal.
The undeniable truth is, the pandemic has put the entire healthcare industry more firmly in the cross hairs of cyber criminals and state sponsored hacking groups which is giving rise to more data breaches:
- In July 2020, the UK’s National Cyber Security Centre (NCSC) helped to expose Russian attacks on COVID-19 vaccine development
- In October 2020, the US Cybersecurity and Infrastructure Security Agency (CISA), issued a warning advisory to pharmaceutical companies and research institutions, highlighting the need to improve IT security in order to mitigate data breaches.
- In December 2020, at least six pharmaceutical companies in the US., UK and South Korea who were working on COVID-19 treatments were targeted by North Korean hackers, according to the Wall Street Journal.
Now more than ever, healthcare data is lucrative
The reason for the increase in attacks is obvious - pharmaceutical companies develop highly lucrative intellectual property (IP) and handle large amounts of patient and healthcare data. This makes them prime targets for criminals looking to compromise, steal and exploit this data.
The challenges facing these large organisations are compounded by the fact that the healthcare industry operates across multiple locations and has complex relationships with hospitals, governments, healthcare providers, suppliers and distributors who all need real-time online access to systems and data which is strictly controlled by regulation.
The challenges facing these large organisations are compounded by the fact that the healthcare industry operates across multiple locations and has complex relationships with hospitals, governments, healthcare providers, suppliers and distributors who all need real-time online access to systems and data which is strictly controlled by regulation.
The state of data security in healthcare
The 2021 Healthcare Data Risk Report by cyber security company Varonis examined the state of data security in healthcare organisations including hospitals, biotech and pharmaceutical firms. It analysed a random sample of Data Risk Assessments from 58 companies—and a total of 3 billion files–to determine how healthcare data is exposed and at risk.
Varonis found that nearly 20% of all healthcare files are open to every employee and the average healthcare organisation has 31,000 sensitive files that are open to everyone - including ones that have HIPAA-protected information, financial data, and proprietary research.
This exposed data comes in two forms. First, structured data is the type of information that can be stored in traditional databases composed of columns and rows, such as a customer or trials database including names, addresses and telephone numbers. Unstructured data on the other hand, is everything else from email trails or chat logs to reports and presentations, image libraries or videos. In fact, most of the data that exists is typically unstructured.
Compounding these problems is the healthcare industry’s love of spreadsheets – as highlighted by the UK’s track and trace problems. This represents a concerning data security problem as the healthcare industry has more highly sensitive data but it’s weakly protected.
Varonis found that nearly 20% of all healthcare files are open to every employee and the average healthcare organisation has 31,000 sensitive files that are open to everyone - including ones that have HIPAA-protected information, financial data, and proprietary research.
This exposed data comes in two forms. First, structured data is the type of information that can be stored in traditional databases composed of columns and rows, such as a customer or trials database including names, addresses and telephone numbers. Unstructured data on the other hand, is everything else from email trails or chat logs to reports and presentations, image libraries or videos. In fact, most of the data that exists is typically unstructured.
Compounding these problems is the healthcare industry’s love of spreadsheets – as highlighted by the UK’s track and trace problems. This represents a concerning data security problem as the healthcare industry has more highly sensitive data but it’s weakly protected.
How can the healthcare industry prevent data breaches?
It’s simple really, stop focussing on the perimeters (they’re clearly not working) and focus on the data. Allow me to explain. Traditionally, we have tried to prevent data breaches by using multiple layers of security to prevent access. It sounds good in theory but the relentless flow of headlines around successful cyber attacks and data breaches in the healthcare industry proves that it’s not working. As the Varonis report shows, any given data file is likely to be accessible by staff who have no reason to see that information.
So, if we cannot keep the cyber criminals out, nor trust the people around us, we need to rethink the traditional 'castle and moat' methods of data security and adopt a data centric approach whereby security is built into the data itself.
The typical full disk encryption methods that healthcare organisations use do protect structured and unstructured data but only when it’s at rest on a hard disk or USB stick that is powered off. This is great if you lose your laptop, but sadly full disk encryption is of absolutely no use in protecting data against unauthorised access or theft from a running system. Data needs to be protected not only at rest, but also in-transit and in-use, as well as on-site or in the cloud.
So, if we cannot keep the cyber criminals out, nor trust the people around us, we need to rethink the traditional 'castle and moat' methods of data security and adopt a data centric approach whereby security is built into the data itself.
The typical full disk encryption methods that healthcare organisations use do protect structured and unstructured data but only when it’s at rest on a hard disk or USB stick that is powered off. This is great if you lose your laptop, but sadly full disk encryption is of absolutely no use in protecting data against unauthorised access or theft from a running system. Data needs to be protected not only at rest, but also in-transit and in-use, as well as on-site or in the cloud.
To truly prevent security breaches in healthcare, ALL data needs to be protected
Contrary to mainstream belief, it’s also not just the ‘sensitive data’ in the healthcare industry that needs protecting. While data classification technology is often used to identify ‘important’ or ‘sensitive’ data, we believe ALL data in the healthcare industry is sensitive and using data classification to drive security policy is a waste of time.
This might actually be a relief to many healthcare professionals as the 2020 IBM and Ponemon report showed that 67% of respondents said discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy.
This might actually be a relief to many healthcare professionals as the 2020 IBM and Ponemon report showed that 67% of respondents said discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy.
There’s a better way to prevent security breaches
The problem is, there’s a misconception that data encryption is complex and costly and detrimental to performance and productivity.This is an outdated sentiment that desperately needs to be changed.
SecureAge is setting the way forward by making data classification for security irrelevant and protecting ALL data – structured and unstructured, and in all states. With our encryption technology, the SecureAge Security Suite, ALL data is inherently protected at the file-level no matter where it goes. That means, even if the data does get into the hands of cyber criminals, it’s useless.
Just as the world was woefully underprepared for a pandemic, so too were healthcare companies unprepared for these cyber attacks. But, by actively choosing to encrypt all healthcare data at the file-level it no longer matters where it is stored, or whether it’s in in-transit or in-use - there is finally an option to embed security into the only thing which has value – the data itself.
SecureAge is setting the way forward by making data classification for security irrelevant and protecting ALL data – structured and unstructured, and in all states. With our encryption technology, the SecureAge Security Suite, ALL data is inherently protected at the file-level no matter where it goes. That means, even if the data does get into the hands of cyber criminals, it’s useless.
Just as the world was woefully underprepared for a pandemic, so too were healthcare companies unprepared for these cyber attacks. But, by actively choosing to encrypt all healthcare data at the file-level it no longer matters where it is stored, or whether it’s in in-transit or in-use - there is finally an option to embed security into the only thing which has value – the data itself.