Data Breach Starts with the Data

Originally published September 30, 2019 by Chris Bowen, Chief Privacy & Security Officer, ClearDATA at Tech Toolbox

2019 is shaping up to be a disastrous year for digital privacy. Many of us were already victimized by the massive Equifax breach of approximately 150 million records. Then headlines revealed Capital One exposed around 106 million records. In healthcare, it’s no exception.

According to the HHS Breach Portal, as of August 2019, more than 266 breaches have been officially declared impacting about 32.5 million patients. The scary reality: There are still many months to go.

While any breach is a considerable and costly legal problem, it’s an enormous problem in healthcare because of the sheer volume of data contained in a medical record. Medical identity theft exposes the most holistic view of a person from their name, age, conditions, family relationships and social security number alongside financial and credit card information.

When you fail to protect sensitive patient data it’s like the police showing up to your door to arrest you for buying illegal drugs like opioids. You didn’t do it, the person who stole your identity did. Try sorting that out in the police car. Or imagine opening your mail and getting a bill for $50,000 for your part of a surgery you never actually had. Or worse, imagine going in for actual surgery and not knowing that the person who stole your identity has altered your record about a drug commonly prescribed to which you are allergic that you are now about to be given. These aren’t sci-fi-like scenarios; they have all happened to people like you and me as a result of a healthcare data breach.

In the many years it takes to sort out the aftermath of medical identity theft people lose their jobs, their houses, and ultimately their health. Unlike a credit card theft where you call one number and have the matter resolved in minutes, with medical records patients have to trace through more than a hundred distribution points where the data traveled with one transaction. It’s important to remember that data is not a commodity. Behind every record is a person who is entrusting you with their personal information.

This puts a large responsibility on healthcare organizations whether payers, providers or pharmaceutical to do their very best to protect patient data with the right technology, frameworks and solutions which starts with having a better understanding of data. There are third party platforms out there to help ease the burden like ClearDATA Locate designed to trace sensitive healthcare data in the cloud but the ability to derive insights from patient data aggregated across the enterprise and multiple touch points is only the beginning.

To prevent breaches, healthcare organizations need to have a foundational knowledge of data privacy including:

Know where your data is, how it’s being used, and how it’s being protected.

We often see companies without healthcare compliance expertise use a lot of time and resources protecting and encrypting their own data. Though the efforts are applauded, practicing with real data using rapidly advancing technology is a sure way to create security vulnerabilities. Just take a look at Harvard’s DataMap Project demonstrating how a single medical record can span hundreds or more distribution points. Instead, bring in an expert to guide and learn from until you can do it on your own. You wouldn’t try to climb Mount Everest as a DIY project your first time there. Get a Sherpa.

Admit you have a data sprawl problem because everybody does.

It is easy for IT and business leaders to become overly confident; they know where their sensitive data is. But the trouble with data is that it sprawls, it travels, and it gets lost.

The recent Integris Software 2019 Healthcare Data Privacy Maturity Study tells us that overconfidence is an issue. 70% of respondents said they were “Very or Extremely Confident” in knowing exactly where sensitive data resides. Only 50 percent of them update their inventory of personal data once a year or less, and a mere 17 percent of respondents can access sensitive data across five common data source types.” In healthcare, this is complicated even further by the rapidly expanding volume of data we are now proliferating.

Deidentified data doesn’t mean protected data.

Stop believing because you removed the 18 identifiers that constitute protected health information that you have protected the person by de-identifying their data. With advances in artificial intelligence and machine learning, studies are proving it’s possible to take deidentified data and reconstruct the identity with as few as two of the identifiers.

A more foolproof way to protect data is to start by training your team. One of the most significant causes of healthcare data breaches this year happened via email – be it access to servers or phishing attempts. It won’t do you any good to build an elaborate system to have your employees open the front door and let the hacker in via email.

If you are designing a product or solution that will in any way interact with PHI, start with a Privacy by Design framework.

Though it is tempting to focus on UX or workflow, a Privacy By Design framework is ultimately the key to a more secure environment. This allows for healthcare organizations to understand the privacy rights of the individuals who will use their app to build the correct infrastructure and services around it. By determining how to design the data and log flows, and considering the right heuristics of the app, healthcare developers with this mindset can document a data lifecycle before coding. We are seeing a surge in demand for tech professionals with privacy and security skills and training. I believe most companies want to get this right, but they often lack the resources.

To tackle security vulnerabilities head on, healthcare organizations need to better understand where their data breathes, sleeps and lives. Ultimately, the care of the patient depends on it.