Healthcare needs a data centric security approach

stringent data securityWith increasing attacks on PHI data, coupled with more stringent data security requirements and regular audits, organizations should act now – before it’s too late.

A recent Ponemon study, provides the following perspective on the security of healthcare data: “Fifty-one percent of respondents say their organization has personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data. This is virtually unchanged since 2015. Criminal attacks are the root cause of most data breaches. Fifty percent of healthcare organizations report the root cause of the breach was a criminal attack, 41 percent of respondents say it was caused by a third-party snafu. Insiders in business associates are the main root cause of medical identity theft. Healthcare organizations and business associates believe they are more vulnerable to a data breach than other industries. An overwhelming majority of healthcare organizations (69 percent) and business associates (63 percent) believe they are at greater risk for a data breach than other industries. More investments in technologies to mitigate a data breach are needed. Healthcare organizations depend mainly upon policies and expertise to respond to data breaches.”

Relying primarily on policies and expertise is not effective based on what we have seen in recent data breaches across different industries.

Mathieu Gorge, CEO of Vigitrust, stated recently in “Key steps to Big Data security in healthcare” from Computerweekly that “Healthcare is moving towards Big Data, with patient information residing in multiple locations that must be accessed rapidly. That data is also extremely sensitive, with confidentiality and integrity a key attribute. So, in healthcare, Big Data security is vital” and “This links to the key question, which is, ‘Where is the data?’ There are some specific challenges with regard to data for the healthcare sector.”

The first step in any security initiative is to locate sensitive data in databases and file systems. I have seen effective approaches that quickly search all popular databases, file systems, and application environments. In many cases experienced data discovery engineers are also needed to help clients locate sensitive data within corporate environments. This type of solution can be most effective for many organizations if combined with security consulting services by industry experts.

The Ponemon Institute published another interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey “database security was recommended by 49% of respondents,” but the study found that “organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.” Ponemon concluded that “this is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”