UCLA Health System’s recent announcement of a data breach is just the latest occurrence in an outbreak of healthcare data theft and follows a now-familiar pathology. First, the breach occurred months before it was detected. Second, UCLA described the attackers as “sophisticated” and “likely to be offshore.” And, third, an expert said that data encryption would have vaccinated UCLA against the attack.
At Waller’s latest Healthcare and Big Data panel discussion, I was joined by Todd Forgie, VP Information Technology and Managed Services at MEDHOST, Jessica Thomas, Division Information Technology Officer at Sarah Cannon Research Institute, and Jason Smolanoff, Managing Director at Stroz Friedberg for a diagnosis of the outbreak and a discussion of the protocols for reducing the risk of healthcare data breaches. The panel concluded that, while data security threats arise in a variety of contexts, the risk of healthcare data breaches can be reduced through improved employee training and monitoring.
Here are a few highlights from our discussion:
- Healthcare data is valuable: Patient records are more valuable on the black market than even credit card data.
- Your biggest threat works for you: Employees, especially those with access to healthcare information, pose the greatest security risks, whether through negligence or intentional misconduct.
- Social engineering works…unfortunately: Phishing, in particular, is very effective. According to Verizon’s 2015 Data Breach Investigations Report, 23% of recipients open of phishing emails and 11% click on attachments.
- The worst offenders: Oddly enough, those sitting in the audience are some of worst offenders of security protocols. According to the Verizon report, lawyers are far more likely to open a phishing email than most other employees.
- Create internal awareness around data security: Employees must understand their role in protecting data. As Todd Forgie stated, “we aren’t seeing breaches because your security walls aren’t secure… you have to focus on the people and the culture… executives have to be on board with security…awareness campaigns have to be executed.”
- Encryption’s not a vaccine: But it’s a good idea. Encrypting an entire database may be impractical and may degrade system performance. However, encrypting key areas can mitigate the data breach risk.
- Electronic nannies: Data loss prevention systems can be deployed to monitor outbound transmissions (e.g., emails) of sensitive data and flag or block the transmissions. But organizations should have policies in place that clearly inform their employees of the use of electronic communication monitoring.