Today’s health care organizations are confronting complex data protection challenges, and the stakes are high. The industry has long faced intricate regulatory requirements including the provisions of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, plus local privacy regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
Magnolia Regional Health Center Story
But the current crisis is motivating health care security leaders to think beyond compliance. As organizations’ budgets rapidly shift and new threats emerge, it’s become critical to find new ways to reduce risk within an ever-changing environment. It’s also become important to safeguard the organization from previously unimagined perils.
Faced with the cancellation of elective procedures and declining patient volumes under shelter-in-place orders, many health care systems are now operating with larger revenue deficits than they’ve ever seen. These negative margins will ultimately impact every facet of budgeting and financial planning for the foreseeable future.
At the same time, some hospitals’ emergency room and intensive care unit capacity has been overwhelmed. Temporary field hospitals were constructed in certain areas, and emergency care providers have been called upon to take extra shifts. The shortage of beds and health care workers has been compounded by the fact that more than 9,200 providers have themselves been infected.
To alleviate the strain and protect vulnerable populations alongside the clinicians who treat them, many health systems have begun offering virtual visits and other digital services. And they’re been requiring as many of their employees as possible to work from home. This means they’re videoconferencing solutions and other cloud-based collaboration and productivity apps in new ways, and at a far greater scale.
From a data protection perspective, it’s the perfect storm. Just as budgets are shrinking, health care organizations’ IT infrastructures are expanding to incorporate providers’ home wireless networks, makeshift health care facilities, and other remote deployments, many of which were created on the fly. These new circumstances have given rise to new gaps in existing security policies, processes, and procedures. Additionally,, security teams face a new lack of visibility into cloud applications, external networks, and employee-owned devices. It’s vital to re-imagine strategies and re-evaluate priorities to continue to protect against data exfiltration, whether it's accidental or malicious.
The “Crown Jewels": Health Care Data is Uniquely Critical
The health care industry’s situation differs from any other industry. Health care providers and other entities including insurers, health care clearinghouses, and service providers that handle or transmit their data are mandated to comply with stringent security and privacy regulations. Their ethical imperative to ensure patient health information is accurate, confidential and available is exceptionally strong. That’s because health care data maps directly onto human lives, and the potential impact of a breach in which Electronic Medical Records (EMRs) are either altered or erased would be catastrophic.
The healthcare industry is also unique in terms of the immense volume of data providers and other organizations must collect and retain. Every patient’s name, address, social security number, date of birth, and another unique identifier (the medical record number or MRN) must be kept along with detailed diagnosis histories, treatment plans, test results and progress notes. In addition, insurers face combined risks from the health care and insurance industries.
Securing the New Normal
Over the coming weeks, we’ll be publishing a blog series highlighting key challenges that health care security leaders are now tackling. We’ll discuss tactics and strategies that can help organizations navigate current issues and be better prepared to face future crises.
In particular, we’ll be taking a deeper dive into securing cloud-based health care applications, like video conferencing platforms, that have seen such a sudden and dramatic increase in usage within the industry of late. We’ll also talk about ensuring electronic medical records access procedures don’t become a source of data leakage (whether accidental or malicious). And, we’ll consider the recent spike in phishing and spear phishing attacks that have targeted the industry, and ways to mitigate the risk they pose.
Be sure to check back next week to read more.
Editor's Note: Here are links to the other posts in this series.