This morning, during my normal search for interesting data security reads I stumbled across a stimulating article discussing healthcare data security. As you may know from my earlier posts, healthcare data is now one of the hottest items on the black market as it’s worth has skyrocketed do to lack of security controls within healthcare and the increase in security of credit card data (the nefarious’ old favorite target). This means that criminals have their crosshairs locked onto medical data, today’s new data gold, and that in response healthcare orgs must place an even greater emphasis on securing it. Even with low IT budgets. Needless to say, the read peaked my interest.
In the article, the author questioned the idea of anytime, anywhere access to information and whether or not this 24/7 amount of access to data is worth the risk of harm to healthcare organizations. The Healthcare industry is evolving, and like with anything else, growing pains will naturally come as a result. In an industry where 90% of clinicians use their own personal device for work, the author makes a pretty strong point. BYOD is growing steadily within the industry, and over two thirds of institutions are using cloud applications to host data. Healthcare institutions do need to take a different look at their security policies.
I agree with the author when she mentioned that institutions can take a page out of the National security industry's books by instilling a least-privilege rule for their data, only allowing people who need access to it to be able to view it. But it’s also important to realize that the idea of insider threats is NOT a separate discussion; it’s an extension of it. 68% of healthcare data breaches are from lost mobile devices. And last I checked, it was the clinicians aka “insiders” that were the ones losing those devices. The thing that healthcare institutions must grasp is that anywhere, anytime access, with a least-access rule in place, while providing contextual access control is an absolute possibility. They just need to deploy a cloud access security broker (CASB).
Healthcare clinicians work long hours, and do need access to information when it’s convenient for them but need IT's help in keeping them from using medical data improperly. They need to be trained by the IT team and taught the best practices for minimizing risks. Saving lives never ends, and now neither does the need for securing healthcare data.
To learn more about Healthcare data security, take a look at the 2014 Bitglass Healthcare Breach Report
Product Marketing Manager @Bitglass