Healthcare Data Breach Prevention: Take Back Control

This blog was originally published by BigID here.

Written by Kimberly Steele, BigID.

In 2020, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) revealed that healthcare data breach incidents had climbed up to a reported 1.76 per day, marking a 25% increase over reported incidents from the previous year (HIPAA Journal). An “incident” defines a breach that affects 500 records or more.

In addition, 2019 was a record breaking year in its own right — with a 37.4 increase in reported incidents over 2018. Approximately 59% of these security breaches in healthcare were connected with malicious attacks.

Data Exposure Due to Malicious Attacks

While healthcare organizations have shown gradual improvement in data threat detection and breach response — partly due to increased adoption of automation — there has still been a steady increase in incidents due to malicious attacks over the past decade.

The year 2012 saw 17 incidents due to malicious attacks — a figure that increased to 148 incidents by 2017, 312 incidents by 2019, and 429 incidents by 2020. (HIPAA Journal).

Malicious attacks aren’t going anywhere, and healthcare organizations that leverage automated technologies to manage data risk will not only reduce incidents due to attacks like hacking, phishing, malware, and ransomware scams, but can better manage their breach response.

What Is Patient Health Data Worth?

Sensitive patient data like protected health information (PHI) — which the Health Insurance Portability and Accountability Act (HIPAA) strictly regulates — is the most targeted, valued, and frequently stolen by hackers.

Compared to other types of personal or sensitive data, health data brings in a hefty sum on the dark web. If personal information like a social security number sells for $0.53 per record — the going price in 2018 — or credit card information sells at $5.40 per record, then a healthcare record brings in around $250.15 (Trustwave).

Why? Medical data serves several purposes — including the ability to buy prescriptions or purchase treatment. PHI also carries value for a longer period of time. While a data subject may quickly detect a stolen credit card number, it could take a patient or practitioner much longer to know about compromised medical data.

What Are the Penalties for a Data Breach?

Fines and penalties for HIPAA are steep — especially for serious violations. HIPAA violation fines are separated into four tiers that range from a minimum $100 per-violation penalty to a $50,000 per-violation penalty.

Each tier — and associated financial penalty — takes into account the violating organization’s:

• prior history with compliance
• degree of willful neglect
• financial status

… as well as the amount of harm caused by the violation, and several other factors that regulating body OCR is allowed by law to deem relevant.

Here is how HIPAA’s tiers break down:

• Tier 1: A fine of minimum $100 per violation, up to $50,000
  Violations that entities that were unaware of, could not have been reasonably avoided, and show a reasonable amount of care by an entity to be HIPAA compliant.
• Tier 2: A fine of minimum $1,000 per violation, up to $50,000
  Violations that entities should have been aware of but could not have reasonably avoided even with reasonable care.
• Tier 3: A fine of minimum $10,000 per violation, up to $50,000
  Violations that constitute “willful neglect” of HIPAA rules, but where an attempt is made to correct the violation.
• Tier 4: A fine of minimum $50,000 per violation
  Violations that constitute both “willful neglect” and no attempt to correct the violation.

Data Breach Automation

Healthcare organizations struggle to identify exactly what information was disclosed in a data breach, who it belongs to, and how to effectively respond, remediate, and take action on it.

Know Your Data

Find, manage, and catalog all of your patient information across the landscape — no matter how siloed — and enforce policy on all your data.

Map Your Data with Advanced ML-Based Classification

Automatically classify protected health information (PHI) via next-gen classification that leverages not just pattern-based discovery, but also:

• ML classification that’s based on NLP and NER
• AI insight that’s based on deep learning
• patented file analysis classification

Identify Impacted Users

Map patient identities to their personal data wherever it resides, and maintain a central view of what data belongs to whom for a more granular view into breach exposure risk. With a clear view of the data, teams can pinpoint which users are at the highest risk when data breaches occur. Identify impacted users’ residency — and follow the mandatory reporting criteria required on each region, down to an individual.

Operationalize Your Incident Response Plan

Easily identify which individuals to notify after an incident based on data mapping and inventory. Communicate and generate reports on which individuals and personal data attributes were exposed — within the legal and reporting required timeframes.

Ensure Compliance with Healthcare Regulations

Protect patients, providers, and payers by following all legal data-breach-reporting requirements for all geographic areas where your company conducts business or has customers.

Enact Remediation Workflows

Efficiently remediate high-risk, sensitive, and regulated data across the organization — as well as manage exceptions, prioritize workflows that delegate decisions to the right people, and streamline all reporting by violation type or data owner — all in one interface.

Simplify Breach Data Investigation

Common wisdom dictates that data breach incidents are not a matter of if, but when — and healthcare organizations are at heightened risk.

Companies that proactively protect their sensitive patient data with automated tools, deep machine learning, a core data discovery foundation, and efficient data remediation workflows can minimize data risk, boost data threat detection, and prevent the loss or exposure of patients’ most sensitive and vulnerable data.