The HIPAA Journal reported that “2020 was the worst ever year for healthcare industry data breaches.” In the US alone, there were 642 reported data breaches in which the number of records stolen exceeded 500, and in total, nearly 29.3 million healthcare records were exposed.
The biggest threats to healthcare data
In a year when the world was focused on the healthcare industry, so too were malicious actors. While there were numerous causes for the healthcare data breaches reported in 2020, the top three were:
Ransomware and phishing incidents.
Unauthorized access or disclosure.
IT incidents such as ransomware and phishing contributed to a whopping 91.99 percent of breached health records. There was a 25 percent increase in the number of healthcare-targeted ransomware attacks in 2020. In fact, in October 2020, the FBI, CISA, and HHS jointly issued a high-level warning about an increase in TrickBot, Ryuk, and BazarLoader ransomware variants targeting US hospitals and healthcare providers.
These attacks led to the exposure of electronic protected health information (ePHI) such as medical histories, patient information, Social Security numbers, health insurance details, and financial information.
ManageEngine’s 6-step plan to secure healthcare data
The 2020 Cost of Data Breach Report found that a lost or stolen healthcare record costs $429—well above the cross-industry average of $150. Being in the sector most affected by data breaches, healthcare organizations should follow this six-step plan to secure their data.
Scan for ePHI in your storage
Use methods such as keyword matching and pattern matching to scan your file storage repositories for ePHI. Create and maintain a detailed inventory of your organization’s most sensitive data by scheduling data discovery scans at regular intervals.
Assess the risks associated with stored ePHI
Analyze the sensitivity, location, and riskiness of the data; the permissions users have on it; and other critical parameters to assess its vulnerability. Remediate where necessary to follow least privilege models and ensure that information is stored only in secure locations.
Classify the files containing healthcare data
Improve the efficacy of your monitoring and incident response systems by classifying the files containing ePHI. We recommend implementing a tool that performs classification in conjunction with data discovery.
Audit all accesses to sensitive files
Report on users accessing critical files to know who accessed healthcare data, when, and from where. Detect ransomware attacks using threshold-based alert profiles and an up-to-date library of known ransomware file types. Execute custom scripts to shut down infected machines and halt the malware’s progress, thereby mitigating damage.
Monitor data uploads and downloads
Monitor the use of cloud applications across endpoints and track users’ uploads, downloads, and other activity across cloud storage platforms.
Implement a data loss prevention (DLP) strategy
Utilize tailored DLP policies to detect and block harmful file transfer attempts to external storage devices and web applications. This free e-book contains information on how to choose a DLP tool and perfect your DLP strategy.
Most importantly, analyze the incidents identified by your DLP tool and adjust your data discovery and DLP response policies as needed. You might need to narrow down data discovery rules to reduce false positives, widen the scope of your leak prevention policies to reduce false negatives, or adjust other parameters to ensure they stay in line with changing threat scenarios.
How ManageEngine can help ensure healthcare data security
ManageEngine DataSecurity Plus is a unified data visibility and security platform that performs file auditing, file analysis, data risk assessment, data leak prevention, and cloud protection.
It helps users locate and automatically classify files containing ePHI. It also identifies file permission vulnerabilities, audits user activity in critical files, and prevents sensitive data leaks via endpoints.
Together, these capabilities ensure all-around protection of healthcare data at rest, in use, and in motion.