The Healthcare industry is a valued target for cyber criminals because of the information gleaned which includes social security numbers, medical histories, insurance information, email address, and more. HIPAA and HITECH compliance standards ensure the privacy of personally identifiable information (PII).
Valuable targets include health insurers, healthcare providers, various entities who are service providers and insured individuals because on the black-market prices are higher for health records rather than just credit card numbers. Healthcare industry cyberattacks result in identity theft from files shares where more data can be stolen, your insurance information can be held hostage and major brute force attacks and phishing attacks are easy to carry out because with more information the attacks can seem more legitimate and easier to execute.
Similarly, when it comes to medical data correspondence it’s easy to get unsuspecting people to open the correspondence or respond to a malicious solicitation unknowingly.
The Healthcare industry is focused on total digital transformation more than ever. Cybersecurity and data theft prevention of PII stored in file sharing systems must be at the forefront of an operational enterprise’s business priorities and they must plan accordingly like any big business and not carry out initiatives like a minor service provider.
For most enterprises who provide medical benefits to employees, most of the interaction is with the actual broker and insurance provider or aggregator including major HMOs who have their own apps for health information file sharing which can be easily compromised.
Data Theft Prevention to comply with HIPAA and HITECH needs to start with deciding what files will be preserved and migrated to critical file servers. As with any digital transformation endeavor, the first stage is deciding what files to keep, how to categorize that information and finally to prioritize it all.
Consider this typical patient scenario: Unless you are able to visit your family doctor who has treated you since you were a child, you know you are only as relevant as the latest medical information uploaded and entered into your ‘file’ and even then there are always corrections needed. Your last doctor visit may have included checking in to the appropriate department and building by swiping your medical card which then brought up a plethora of information to the admin person running the front desk. Any balance still owed to the provider and any co-pay payment was promptly taken care of before waiting to see the doctor. At this point you are then inserting or swiping a credit or debit card in a payment terminal and entering a PIN number if necessary and approving the transaction. You are then shuttled to the appropriate exam room and then wait again for another person to enter, confirm your information on a portable wall mounted computer and then proceed to take your vitals and enter them into the digital chart open in front of them. Any medications are confirmed and re-ordered as necessary to be filled at the pharmacy of your choice and then you wait again for the actual doctor to follow through on the exam you made the appointment for.
Your chart and medical history and personal information is confirmed yet again and more info is entered about you including an email address where you can be corresponded with and contacted. If you have a medical provider HMO like Kaiser then you visit the pharmacy in the same building and swipe all your personal information yet again.
Additionally, you have made several points of contact and given them everything but a pint of blood or your first born. But wait! What if you did have a child at this hospital? They do have your first child’s info and probably your blood type and then lab results on any of your blood taken. Maybe you had a certain genetic test ordered as well for cancer prevention. At this point, literally your entire life, your chromosomes, your blood, your prescriptions, everything that makes up YOU is stored in a computer or computers and your only protection or guarantee that all of this will remain private is how well this particular healthcare enterprise has put some kind of firewall between your critical information and any cybercriminal with a keyboard who makes their living on the black market of ransomware, brute force attacks, phishing, and exploiting any weakness possible. A stolen credit card number spending spree has nothing on a healthcare provider falling victim to a calculated file share cyberattack targeting Personally Identifiable Information (PII).
Besides deciding on what data must be migrated and preserved then the issue becomes one of monitoring and controlling and being constantly vigilant. Data theft prevention and Disaster Recovery planning becomes a full-time job whether it’s employing staff and/or engaging resources and providers to be at the ready for solutions to mitigate any known or unforeseen pending threat. Healthcare professionals, insurers, doctors, nurses, and medical staff are trained to be the epitome of trust however what happens to an institution or healthcare brand hit with a major attack like what happened to credit score companies like Experian? They will lose customers. In the United States, patients are customers and customers have choices of providers.
For affordable health care exchanges, a simple hack of the enrollment web site would render some State governments into a complete state of chaos and an already burdened system is not too big to fail and if enrollment drops off then costs soar. Emergency rooms become the main source of medical care and even then, there is no guarantee of adequate care. In other words, the Healthcare industry in this country is ripe for a major attack and it’s not a matter of if, it’s a matter of when.
So, what to do? First off, don’t panic and then you need to engage trusted partners to help you navigate the quagmire of data loss prevention, data theft, and data protection. There are laws already governing medical privacy including the well-known HIPAA that is the gold standard for all things concerning patient’s privacy. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Also known as the HIPAA Act for short. It’s a US privacy law put in place to protect medical information including patients’ records and allow for confidential communication between patients and medical professionals. The HIPAA Act has many components including portability of medical coverage in case of job status change and to prevent fraud and abuse and mandate a set of universal standards that the Department of Health and Human Services has jurisdiction over. The main component that is most well known in the data security business and enterprise employment rules and regulations is the right of patients’ medical history and information – No matter what.
Being HIPAA compliant is understandably the number one goal and that compliance is regulated so it must be controlled and monitored constantly and checks and balances must be put in place and regularly used. There’s no such thing as being mostly HIPAA or HITECH compliant. On the heels of regulation additional service providers have stepped up to fill the void of data security where the need of most healthcare institutions is treating patients – not data privacy file share protection. The healthcare industry is already rife with critical obstacles and now is exploding as everyone is trying to streamline and become totally digital and have information shared easily across multiple platforms or those multiple platforms being coalesced into a single storage provider. Healthcare related Start Ups are popping up everywhere and are ubiquitous and plentiful wherever Venture Capital investors and interested parties are gathering because of the urgent need for major disruption in the industry behemoth. Apps and online accounts are replacing advise nurses and mailed post card appointment reminders. Several app Start Ups in the Healthcare sector are seeking to be the go to woven fabric or data aggregator that joins the ecosystem of a patients’ medical history and ongoing care across several providers and platforms.
But who stores these company files and keeps this data from getting into the wrong hands? Several cloud storage providers have made their services known by targeting this industry with very expensive advertising campaigns. Cloud storage and cloud-based file share servers are more popular than ever but just because technology has streamlined, organized, and centralized, does that mean that several industries must follow suit and hand over their critical digital assets for outside ownership and storage just because it’s easier now?
Take a step back and picture the doctor’s office of days of not so old. Rows and rows and rows of manila folders full of paper and test results and meticulous notes stacked from floor to ceiling and categorized by year and alphabetized by patients’ last names. Imagine if a truck pulled up and took all those files and then drove thousands of miles away and loaded them all into a warehouse and then told you not to worry, that they have industrial locks on the doors and a climate-controlled environment and that there are guards on duty 24/7. The only way you can access the files are by opening a computer screen and typing some words or numbers into a search box and hope the right search result comes up with the best information. Now imagine that the power goes out, the warehouse has a disastrous fire, or armed thieves break in and run off with all the manila folders and sell them to the highest bidder who can never be traced, then what?
Healthcare service providers and insurers and medical institutions are in the business of providing the best care possible to customers who qualify based on cost and services provided. They are in the business of making people well and preventing disease and curing the sick and conducting research to combat the latest real-world viruses. They are not in the business of constantly upkeeping and transferring and sharing files across the country in the most secure way possible and having to worry about computer viruses – Until now. There is no excuse for any modern PPO, HMO, EPO, POS, or private practice specialist to not have a HIPAA & HITECH compliant file share theft prevention and disaster recovery system in place. That includes State and Federal governments who monitor and administer exchanges under the Affordable Care Act.
Major enterprises including HMOs and Government entities that administer healthcare exchanges are in desperate need of consolidating systems and having a data security tool that allows on premise users to access and share data remotely as needed with guaranteed secure access and mandated HIPAA and HITECH privacy precautions in place. If disaster strikes and a cloud storage provider is hacked, or data is breached somehow these users should be redirected to an on-premise server and/or standby server that has been backing up and storing data. With an encrypted secure tool, users could instantly access that data by using a secure web login, a local active directory mapped drive or a mobile app and instantly be still in business and have a patients’ info at the ready while maintaining security. MyWorkDrive.com provides this extra layer of protection, privacy, and recovery. An army of IT staff does not have to be employed ongoing and deployed at every instance or issue of downtime or data loss. MyWorkDrive has recently been certified as a DUO Authentication partner, Skyhigh Cloud Trust Enterprise Cloud Ready and the US Federal Government FIPS encryption standards and now offers encrypted view and watermarking of all files preventing users from downloading, copying or printing files as an added layer of data theft prevention No files are ever stored, migrated or processed by MyWorkDrive – All files remain stored on the customers own secure file shares.
There are many choices for cloud storage and file sharing including huge providers like AWS and Google Drive and smaller players as well including Egnyte and Sharecloud. None of these providers can guarantee absolute total compliance and by their very nature of being cloud based and depending on shared cloud storage and mobile user management to secure files. If you are in the Healthcare provider business or a government institution mandating and monitoring the healthcare industry you need a data security tool that will do what no one else is able to do including OneDrive, Dropbox and Azure cloud. You need total control over data storage, access, ownership, privacy, management, and recovery. MyWorkDrive allows flexibility, lower cost of ownership, agility, more productivity, and guaranteed privacy so you can focus on the core competence of your practice. There is no need to compromise and go with a cloud-based file storage solution with MyWorkDrive. If you are going to go with a cloud-based solution then you need to take a long hard look at the best plan of action for disaster recovery, file security, ownership and control. Again, it’s not a matter of if PII information is leaked, it’s a matter of when. In healthcare, prevention is the mantra as it should be. Your patients’ medical information and data privacy should be no exception.