How to Understand What Sensitive Health Data You Have

With increasing variety, volume and velocity of sensitive patient data, healthcare organizations are increasingly challenged with compliance with regulations and data protection laws, and avoiding breaches. The total average cost of a data breach reached US $5.9M in the United States (2014 Ponemon Cost of a Data Breach), representing an average of $316 per patient record. The prospect of random audits to enforce compliance with regulations, such as the OCR HIPAA privacy, security and breach notification audits, continues to loom large.

Healthcare.jpgUnderstanding what sensitive data you have is absolute prerequisite to securing yourself, and has never been more important. Only with an accurate understanding of what sensitive data is at rest, in use, and in transit, can a healthcare organization successfully secure itself. If a healthcare data inventory misses some sensitive data it can go unsecured and lead to a security incident such as a breach, or a finding of non-compliance with regulations or data protection laws in the event of an audit.

Ten years ago, healthcare environments were more homogeneous with fewer types of clients, mostly corporate provisioned and more uniform, and with a slower refresh rate. Software used by healthcare workers was also mostly corporate provisioned, leading to a more consistent, less diverse, and more slowly changing software IT environment. In this more homogeneous and slower changing IT environment an annual manual data inventory may have been sufficient where a security and privacy team worked with documentation, IT management tools, and healthcare workers to conduct inventories.

Today, most healthcare organizations are much more heterogeneous with a mix of clients or endpoints: smartphones, tablets, laptops, wearables, and Internet of Things. Furthermore, healthcare networks today are a mix of personal, BYOD, and corporate provisioned devices, and have a faster refresh rate, especially for personal and BYOD devices such as smartphone that are often upgraded within two years or less. Exacerbating this diversity is a myriad of operating systems, versions, apps and online services including social media that are collecting, using and storing new types of sensitive data, and moving it over the network in new ways. The bottom line is that healthcare environments have a major challenge tracking all the sensitive data they have at rest, in use, and in transit. Given these challenges, a conventional annual data inventory is generally not sufficient.

Today, it is critical for healthcare organizations to understand what sensitive data they have on their networks in near real-time. Once a healthcare organization identifies new unprotected sensitive data on their network they can proactively initiate remediation which can include:

  1. Delete sensitive data in an unsecured location,
  2. Encrypting sensitive data in place,
  3. Move sensitive data in an unsecured location somewhere more secure, and
  4. Educate healthcare workers on preferred alternatives to avoid future non-compliance and privacy and security risks.

Data Loss Prevention is a mature security safeguard solution that includes the ability to discover sensitive data at rest and in transit. With the rapidly increasing diversity of healthcare IT environments and variety of sensitive data they are collecting, using, storing, and moving, the value proposition of DLP and in particular in its ability to discover sensitive healthcare information has never been greater. This provides a key safeguard to supplement other data inventory initiatives within a modern healthcare organization. Intel Security Group provides network and endpoint DLP solutions that include this discovery capability. Furthermore, these can be vertically integrated with Intel hardware assisted security including AES-NI for hardware accelerated encryption (Data Loss Prevention Best Practices for Healthcare). An effective near real-time inventory of sensitive data, combined with a proactive approach to secure any unsecured sensitive data, enables healthcare organizations to embrace and realize the benefits of new technologies while keeping privacy, security and non-compliance risks manageable.

Does your healthcare organization have DLP, and if so do you have the processes in place to use it effectively and realize its full value for near real-time discovery and protection of sensitive data on your network?