Safeguarding Healthcare Data: The Critical Role of Access Management

How Lack of Proper Access Management Jeopardizes the Security of Healthcare Data

In the realm of safeguarding personal health information, antiquated processes pose as much of a threat as outdated operating systems, hardware, and software. Failing to establish robust access management for IT systems within the healthcare sector leaves sensitive patient data exposed to malicious attacks.

As Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force, emphasized at the 2016 HIMSS Annual Conference & Exhibition, mere username and password requirements in Electronic Health Records (EHR) do not guarantee compliance. The crux of the matter lies in the deficient access controls.

This issue is starkly exemplified by Anthem's costly $115 million settlement, the largest-ever settlement for a data breach in healthcare. The breach exposed how inadequate access management permitted hackers with authorized credentials to infiltrate Anthem’s patient information. Notably, the vulnerability did not stem from the operating system, hardware, or software but rather from mismanaged access controls.

Until the healthcare industry revamps both its outdated technology and security practices, particularly in the realm of data access control, cybercriminals will persist in targeting healthcare data as an easy mark.

Today’s Healthcare Data Security Landscape

A disconcerting report by the Identity Theft Resource Center (ITRC) revealed that the medical and healthcare sector accounted for 43.6% of all breach incidents in 2016. Additionally, Experian's 2017 Data Breach Industry Forecast projected healthcare as the primary target for cyberattacks, with both their frequency and sophistication on the rise.

Lynne Dunbrack of IDC Health NGen ITs commented, "Cybercriminals perceive healthcare organizations as more vulnerable due to historically lower investments in IT, including security technologies and services, compared to other industries."

In 2016, the healthcare sector experienced 450 data breaches, compromising over 27 million patient records, according to a Protenus report. The Banner Health hacking incident, affecting 3.62 million patient records, stood out as the most significant breach that year.

Experts argue that medical information holds ten times the value of a credit card number on the black market, making healthcare organizations prime targets despite their security shortcomings. McMillan points out, "The social security number is the crux there."

Tomorrow’s Vision for Healthcare Data Security

In McMillan's HIMSS16 presentation titled "Compliance does Not Equal Security," he underscores the inadequacy of HIPAA and the Security Rule in addressing evolving technology landscapes. These regulations did not foresee the emergence of cloud computing, mobile devices, wearable tech, and other innovations.

McMillan urges healthcare organizations to align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which recommends:

• ->Assessing the current cybersecurity posture.
• ->Defining the target state for cybersecurity.
• ->Identifying and prioritizing areas of improvement.
• ->Establishing a repeatable review process.
• ->Continuously evaluating the cybersecurity posture.
• ->Communicating cybersecurity risks to internal and external stakeholders.

McMillan emphasizes that compliance and certification alone are insufficient safeguards. What truly matters are discipline, vigilance, and preparedness.

To fortify IT security in the healthcare sector, hospitals must adopt stringent cybersecurity policies that ensure the utmost protection of patient data and demand unwavering compliance from partners, including labs, imaging centers, and clinicians. While implementing these policies with healthcare partners may require time, on-site safety measures, including role-based data access, workstation security, and comprehensive auditing tools, should always be in place to control access to sensitive data.