A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records.
Across the country, healthcare organizations have a Goliath size security problem. For an eight-straight year, healthcare has the highest breach-related costs of any industry at $408 per lost or stolen record, nearly three times the cross-industry average of $148. Without a commitment to cyber-security, healthcare entities and their valuable databases containing vast amounts of electronic patient health information (ePHI) are sitting ducks for hackers.
We all know that data breaches can cost organizations millions in lost business, reputation management, recovery remediation and year over year that number is exponentially rising. In 2018, the average cost of a data breach globally is roughly $3.86 million, up 10% from 2014. The Ponemon study, 2018 Cost of a Data Breach, is an extensive compilation of data based on interviews with 500 organizations that experienced data breaches.
Along with providing staggering breach stats, the study also referenced a new category of breaches, mega data breaches which refers to the theft or exposure of more than 1 million records. The number of mega data breaches has more than doubled in the past five years from 9 in 2013 to 16 in 2017. As you can imagine, these mega breaches are both extremely costly to resolve and can take up a year to detect and contain. The average cost of a mega data breach involving a “modest” 1 million records is hovering around $40 million.
So, What's a Provider To Do?!
The findings from this year’s breach report beg the question, how can healthcare providers across the board strengthen their individual security programs and better protect ePHI? For starters, conduct a bona fide HIPAA Security Risk Analysis (SRA.) If your organization has not completed an SRA in the past calendar year, your data is vulnerable, plain and simple. An SRA does more than just help your office collect the largest amount of MIPS/MACRA reimbursement dollars, by identifying gaps in your organization's compliance and security settings, the SRA is an invaluable tool in securing the safety of your ePHI. There are many SRA tools out in the marketplace today ranging from free spreadsheet templates to expensive consultants, at HIPAA One, we recommend utilizing our simple, automated and affordable software.
Upon completion of your SRA, there are two additional best-practices that can greatly decease the chance of an ePHI breach due to theft, loss, improper disposal and hacking incidents. Stick with us, we're going to get a little bit "techy" in this next section and take a deeper dive into data classification and encryption:
STEP 1 - DATA CLASSIFICATION
Despite the fact that all data does not have PHI identifiers, (e.g. name, address, any other numerical or identifying information) it is paramount to identify where the data is located within your organization. This effort will involve working directly with the architects and programmers of your data system.
A good place for your programmers to start is by reviewing any and all data mapping and data flow diagrams. To gain further insight into what's already been completed in this area, a thorough review of existing data cryptography or sequence database schema will be conducted. Following data cyptography, a sensitive data analysis is performed - if using external consultants to augment IT staff, there should be no hands-on access needed as long as the data flow diagram and data mapping is available. It is also important to note that these mappings can also be performed through remote workshops.
The work flow outlined above will result in a data inventory (e.g. email, name, home address and system data such as session ID's, IP addresses, etc.). Side note, an analysis at this point should identify any EU-citizens needed for the new GDPR mandates. Any application mapping exercise should augment the data classification by determining why a user or application would need to see information that may or may not be required for the intended purpose. Sometimes applications will bypass database encryption and give a user excessive access to ePHI that is not necessary, opening the chances for unauthorized-access breaches.
STEP 2 - ENCRYPTION AS REC’S FOR ACTING ON SRA FINDINGS
Disclaimer: We understand that turning on global encryption to databases can be unacceptable - and we do not recommend doing this.
As a best practice, only encrypt data inside specific tables and employ best-practices for key generation, management and entry. For example, at deployment, a password is used for decryption of the master encryption key. The master encryption key is provided on a one-time basis by a singular person (or portions of the password shared between people) who knows the password. The master password should also be stored in RAM strictly for performance and security purposes. From an electronic media standpoint (e.g. laptops, desktops, thumb drives, smartphones, tablets, etc.), encryption of the entire hard-drive or volume is recommended. Most SSD drives (high-speed hard drives) and computer hardware come equipped with processors to handle the overhead of encryption/decryption as needed on these devices.