Breaches are commonplace, particularly in healthcare.
Between 2009 and 2018, for example, there were 2,546 significant healthcare data breaches resulting in the loss of nearly 190 million healthcare records.[1]
Meanwhile, new breaches seem to make headlines almost every single week. And while every industry is vulnerable to cyber-attacks, healthcare is a popular target. According to the ITRC Data Breach Report, in 2017 the healthcare industry had the second-most breaches of any industry.[2]
The fundamental issue is that healthcare companies make mistakes that leave them exposed to risk. And, with 88 percent of organizations storing sensitive data in cloud servers, some of those mistakes are bound to happen there.[3] If your healthcare business is in the cloud, you very well may be making one of the following eight mistakes. If so, you’re almost certainly leaving your customers and your business exposed to risk.
1. Putting all of your data in one place.
If your data model is vulnerable to being exploited, and yet all of your data is in one place, then you’re putting that data at risk. In recent years, we’ve seen major breaches where hackers gained access to tens of millions of patient records all located in a single archive file. Don’t make that mistake. Instead, ensure that your data is distributed adequately across multiple locations.
2. Not managing data sprawl.
Data is everywhere and can be found across all kinds of environments. If your company can’t find all of the structured and unstructured data that live in those environments and across all of your company’s platforms and devices, this exposes you to greater risk and to potential fines. To combat this issue, it’s important to implement a formalized risk framework. Doing so will allow you to gain control of your entire information lifecycle, from creation and identification to operationalization
3. Not managing data flows.
While many SaaS healthcare companies collect data, that data doesn’t always flow in a cohesive or standardized way. Such unmanaged data flows can result in a lack of transparency to customers while also exposing businesses to unnecessary risk, since data flows can be used to detect malicious activity. To avoid this problem, it’s important to identify and define your data elements and data sources, define how you collect data, create data validation and quality procedures, and instrument everything in your data flows.
4. Assuming people won’t make mistakes.
You may have the best team in the world, but even so, mistakes happen. Even highly skilled people can forget to encrypt sensitive data or fail to apply other safeguards. The reality is that people often think they’re doing the right thing, but then go on to undermine the security of your business inadvertently.
5. Not managing your vulnerabilities.
When it comes to security, you can’t take a set-it-and-forget-it approach. You have to manage your vulnerabilities actively through basic hygiene such as patching all of your environments, applications, and services. Otherwise, it’s just going to be a matter of time until those vulnerabilities get exploited.
6. Not adequately educating and training yourself and your team.
To be a successful healthcare SaaS company, you need to be knowledgeable about cloud security and be able to keep up with the pace of innovation led by public cloud providers. One public cloud provider, for example, updated or released over 1,500 new cloud services in 2018 alone. You also need to ensure your employees have adequate training so they can help keep your business safe by, for example, not becoming victims of a phishing attack. Be sure to partner with a cloud vendor who will help get you up to speed, and upskill your employee population so they can be part of the solution rather than the problem.
7. Not applying the appropriate safeguards.
If you’re dealing with highly sensitive data, you need to put the appropriate safeguards in place to protect that data. Unfortunately, a surprising number of companies fail to do this. We’ve all heard the stories of real-life companies that protect sensitive data with user names and passwords like “admin.” If you have access to sensitive data, take the steps necessary to protect it appropriately.
8. Not dedicating sufficient resources to security.
Don’t be thrifty when it comes to securing your data. While you want to look for good value, make sure to invest in talented staff and great partners to help you meet your business goals while ensuring all of your data remains protected.
While avoiding the mistakes outlined above will help keep your data safe, it’s important to approach data protection with a defense-in-depth mindset.
In other words, build layers of safeguards around your data that range from encryption and hardening your operating systems and network, to ensuring your team is adequately trained.
If you don’t know how or don’t have all the answers, that’s okay. Get the help you need by calling an expert who understands how to secure data and can guide you through the process.
____________________
[1] “Heathlcare Data Breach Statistics,” HIPAA Journal, retrieved from https://www.hipaajournal.com/healthcare-data-breach-statistics/.
[2] “2017 Annual Data Breach Year-End Review,” Identity Theft Resource Center, retrieved from https://www.idtheftcenter.org/images/breach/2017Breaches/2017AnnualDataBreachYearEndReview.pdf.
[3] “Data Privacy: How Secure Are Cloud Communications Services?” NFON, retrieved from https://www.nfon.com/en/news/press/blog/blog-detail/data-privacy-how-secure-are-cloud-communications-services/.
