David Pignolet

Mitigating risk to healthcare data in heightened threat environments

March 03, 2020
By David Pignolet

The digitization of healthcare has been a powerful tool in creating better, faster, and more complete care for patients. Today’s technology enables patients and providers to more easily view and share health records, eliminate duplicate tests, improve the overall care experience, and reduce time spent on administrative duties. However, as advantageous as digitization has been for patients and healthcare professionals, it also creates a greater risk of data and access-related breaches.

This is a particularly daunting challenge for the healthcare industry. Healthcare organizations, including hospitals, utilize a large and diverse number of third parties, from students to doctors and even IoT devices to support their goal of creating a market-leading patient experience routed in satisfaction, safety, and privacy. The number and variety of third parties utilized by healthcare organizations can be limitless and unfortunately, third parties are very risky. According to a Ponemon Institute study, more than half of all data breaches can be traced to third parties and only 16% of organizations say they are equipped to effectively mitigate third-party risks.

In many cases, healthcare organizations don’t have systems in place to centrally track and manage their relationships with this burgeoning number of third parties and the access to facilities, systems, and data they require. This gap can lead to providing access that is superfluous to a user’s needs and not terminating access in a timely manner. Both of which can unwittingly expose sensitive health information and also create additional access points for hackers. Risk mitigation has never been more vital, as the number of data breaches are on the rise – due in no small part to overprovisioned access. In 2018 alone, there were more than 350 data breaches that resulted in more than 5 million healthcare records being exposed, twice as many healthcare records that were exposed in 2017.

To best reduce the risk of healthcare data breaches, follow these three key steps:

1. Quantify your organization’s risk exposure
While the operational challenges are clear and often recognized, a potentially more impactful issue is unmeasured risk exposure. According to a Ponemon Institute supply chain study, most organizations do not know their exact number of third-party users, as only a third of organizations have a record of all third parties with access to sensitive information. Healthcare organizations are admittedly one of most regulated industries in the world, so understanding and mitigating risk exposure are essential capabilities. With the proliferation of security breaches, the regulation of data security and privacy must continue to evolve to match the risks.

While most organizations assess risk at the organization level of their vendors, partners, and suppliers, highly regulated industries like healthcare need to be more diligent and risk-rate each individual third-party identity in order to have a comprehensive understanding of their risk exposure. By risk rating individuals, organizations can ensure that users are not provided with too much access, that access is monitored to be in-line with current responsibilities (as users may change roles over the lifetime of their relationship with the organization), and that access is terminated in a timely manner when it is no longer required.

2. Audit non-employee population access
Patients interact with third parties, also known as non-employees, throughout their healthcare experience, exposing their sensitive data to a wide variety of potential threats. Organizations should proactively, rather than reactively, evaluate and audit current access for third parties on an ongoing basis, and particularly during periods of heightened risk like a virus outbreak, geopolitical conflict, or natural disaster. If an organization is centrally managing its third-party identities and providing each with risk ratings, they are in a powerful position to take action and make well-informed decisions that can mitigate the danger of a heightened risk climate.

Unfortunately, many health organizations will be surprised to learn how many non-employees have access to sensitive information that is not needed for the duties of their role. This means assessing the risk presented by every non-employee individually, rather than grouping individuals from the same outside organization (like a temp agency or medical school) together and assuming they possess the same risk profile.

3. Mitigate risk through appropriate access adjustments
Once a healthcare organization has provisioned access and provided a risk rating to each individual identity, the next step is identity verification and the timely removal of all unnecessary access to internal facilities, systems, and data. For example, a person that once worked as a hospital scribe and has since transitioned into an administrative role does not need the same access they once had. As such, their access should be adjusted accordingly and not just incrementally provisioned with additional access for their new role. Additionally, organizations can create automated workflows that require high-risk third parties to confirm their need for access at more frequent intervals than lower risk identities.

Ultimately, healthcare organizations cannot adequately protect the safety and privacy of their patients and staff if they are not able to secure sensitive information through agile methods of managing risk. With improved, risk-based access management at the identity level, healthcare organizations can mitigate the risk of breaches and make better-informed decisions. Adopting purpose-built systems designed to manage the dynamic relationships that healthcare organizations have with their third parties is instrumental in reducing the risk of over-provisioning users, meeting access verification and compliance needs, and supporting timely termination of access.

About the author: David Pignolet is the CEO of SecZetta.