In 2022, 590 organizations reported healthcare data breaches affecting 48.6 million individuals – an impact 22 percent greater than in 2021. Year after year, hackers target healthcare organizations for their trove of patient data, which cybercriminals can sell on the dark web or exploit to commit identity theft and fraud.
As a consequence, healthcare organizations face increasing financial, legal, operational, and reputational risk. But organizations aren’t without recourse in protecting themselves against cyber threats. They can take these three steps now to reduce cyber risk and safeguard patient data:
1. Reframe the Focus of Cybersecurity
The Covid-19 pandemic required healthcare organizations to pivot on their IT infrastructures and digital strategies. They needed to rapidly shift from on-premises IT resources to cloud-based architectures, software-as-a-service (SaaS) solutions, telemedicine, and virtual care. But their cyber protections haven’t kept pace.
In the past, organizations operated within a defined network perimeter. They could protect that perimeter with traditional cyber safeguards like antivirus (AV) and firewalls. But with emerging data collaboration paradigms and the potential for data breaches, those measures are no longer adequate for protecting sensitive patient data.
Yes, organizations still require cybersecurity basics like multi-factor authentication (MFA), identity and access management, and intrusion detection. But they must shift their focus from hardening systems, networks, and endpoints to protecting the data itself. After all, it’s the data that has value. Data is what cybercriminals are after, and data exposure is what places organizations at risk.
2. Understand Data Protection Requirements
To protect their data effectively, organizations need a clear picture of the types of data they have, where it resides, and how it’s being used and shared. Only then can they implement the appropriate safeguards to protect that data.
Data protection begins with a thorough inventory and classification of data. Patient personal identifiable information (PII), health records, employee information, financial data, corporate intellectual property (IP) – all can involve varying levels of sensitivity and vulnerability to exposure. These different data clarifications are also governed by varying regulatory requirements, like HIPAA, FIPS 140-2, etc.
Once organizations classify their data, they can establish the policies, processes, and technologies required to protect it. Because budgets aren’t unlimited and cyber threats can never be eliminated, data protection can become a financial business decision and a question of risk management.
3. Lock Down the Data Itself
The most effective way for healthcare organizations to secure their sensitive information is through data encryption. Encryption scrambles data so that it can only be read by authorized entities who are given the appropriate key to unscramble it. Even if the data is exfiltrated and sold by cybercriminals, it simply can’t be read without the appropriate key.
But, to date, traditional encryption solutions have potential shortcomings. The encryption used in many systems only protects data while in transit. The encryption offered by cloud providers is typically managed by the provider itself, who in turn owns the encryption key. Different data types may require different types of encryption complicating cybersecurity management. And encrypted data isn’t always simple for intended users to access, adding to the burdens of IT as well as healthcare staff.
The solution is to focus on data-centric security, not just the perimeter. An open standard called trusted data format (TDF) is one of very few data-centric encryption and privacy solutions. TDF was developed at the National Security Agency (NSA) and is the preferred method of data-centric security for the federal government. Thousands of organizations and millions of users – from government to commercial industries such as healthcare, financial services, and high tech – enable secure collaboration, data sharing, and securing their data at rest with TDF.
TDF offers several advantages over traditional, encryption-only approaches. It provides end-to-end protection for data at the object level – encrypting it as it’s stored, in transit, and even after it’s accessed by authorized parties. TDF uses attribute-based access control, enabling data owners to dynamically determine real time access permissions. It can also enable granular controls like revoking access, setting expiration dates, and disabling forwarding and downloads, even after TDF-protected data has been shared. Additionally, TDF ensures that encryption keys are retained by the organization or a trusted key management partner, preventing unauthorized access to the data.
TDF safeguards data while maintaining ease of use and accessibility. It offers protection for any type of data. The trusted data format can protect client and patient-facing IT platforms, and data contained within collaboration solutions that people use every day – including Microsoft Outlook, Gmail, Google Workspace, and Google Drive. Data can automatically be encrypted before it leaves the organization, or users can encrypt data with a single click, or both.
Cybercriminals will continue to target healthcare organizations. But organizations have the means to protect their data, their customers, and their business. By placing the focus of cybersecurity on data-centric security, classifying data, and leaving cryptographic agility through TDF, healthcare organizations can protect sensitive patient information and reduce business risk against advanced cyberattacks.