The Healthcare industry is facing rates of cybercrime at a pandemic level. In fact, healthcare breaches accounted for 43% of all reported breaches between 2014 and 2016. The digitisation of healthcare records amidst a changing cybersecurity landscape has broadened healthcare organisations’ exposure points, and as demand for data sharing between healthcare organisations increases, so does the risk of a data breach and non-compliance with patient data protection regulations.
This past year has been a massive one for healthcare data breaches in the UK. The National Health Service (NHS) has faced ransomware attacks and most notably, a major data breach that exposed the medical records of 26mn patients.
How did this happen?
Due to a lack of control and oversight, doctors were able to change a setting in the IT system to make patient records shareable across different healthcare organisations – ultimately exposing the records to thousands of workers across the country.
With this breach, we saw practitioners, the UK government and citizens jump into crisis mode. What was the cause of this breach? In large part, a failure to properly govern identities and their access to sensitive patient data.
What makes this an interesting case for identity is that it wasn’t malicious. Doctors aren’t IT professionals. Their job is to make sure patient care is delivered accurately and in a timely manner across different care providers. Making patient records accessible to the hospital or the specialists that doctors are sending their patients to seems like a reasonable way to expedite care, save time and provide good service to patients. But without proper governance, it quickly became a massive exposure point that was ultimately exploited and impactful to millions.
As this real-world example illustrates, sensitive data often gets exposed through legitimate users doing their jobs on a daily basis without realising they’re exposing their organisations to risk. And it could very easily happen again.
For example, a clinician conducting a research study may copy and paste medication administration from the Electronic Health Records (EHR) system into an application such as Word, PowerPoint or Excel for sharing. Or a provider organisation’s Health Information Management department may run a real-time operational report for auditing purposes, and later save this report to a network drive for future reference. Both of these actions, while helpful to the employees conducting them, also result in taking sensitive data outside of protected systems, ultimately creating additional exposure points for the organisation.
This data problem is not unique to healthcare organisations. It’s a common challenge that many organisations are trying to overcome, given that an estimated 80% of all data is stored in files. Organisations need an effective and efficient approach to mitigating the risk of exposing sensitive data to unauthorised individuals or groups—some of whom may have questionable or even malicious intent.
Is there a proverbial vaccine for this widespread issue that affects virtually everyone on both the patient and care-provider sides? It’s not that simple, but the good news is that the healthcare industry can learn from other highly regulated industries how to better address this challenge.
Implementing a robust identity governance program can help. Identity governance allows organisations to answer the question of who has access to what and what they’re doing with that access, addressing an organisation’s exposure points to reduce the risk of a data breach and mitigating the amount of damage hackers can do if an organisation is breached. This also allows IT and healthcare providers to be more efficient and focus on their respective roles without putting their organisations at risk.
When it comes to healthcare, the stakes are high. Healthcare records are valuable to hackers and cost a lot in compliance fees when exposed, not to mention the reputational damage. Organisations need the right tools to make sure access to sensitive data is granted and controlled appropriately, especially as this data is increasingly found outside of IT’s purview. This is where identity comes in. With identity governance, healthcare organisations are empowered to deliver care while knowing their patient data is secure.