Whether you are working in a hospital, medical billing company, or other healthcare organization, trying to find and protect sensitive data within your organization can be challenging. Finding where your data resides is the first step in beginning to classify and protect it. Having effective sensitive data discovery is a crucial piece of any data loss prevention (DLP) strategy.
Why do I need to worry about my sensitive data?
Working in healthcare means you are likely dealing with sensitive data on a regular basis. From social security numbers to medical records to credit card numbers, hospitals and healthcare companies generally see it all. Some of the more commonly known standards and regulations are:
- HIPAA (Health Insurance Portability and Accountability Act of 1996) – HIPAA is undoubtably the first thing that comes to mind when working in healthcare. This act establishes a number of rules designed to protect PHI (personal health information), such as:
- Privacy Rule: This rule covers regulations for using and disclosing of PHI related to payment, operations, and treatment of patients.
- Security Rule: This rule outlines three types of safeguards required for compliance when using Electronic Protected Health Information (EPHI), which are physical, technical, administrative.
- Breach Notification Rule: This rule requires organizations to notify individuals affected by a breach, as well as the U.S. Department of Health & Human Services (HHS).
- HITECH Act (Health Information Technology for Economic and Clinical Health Act) – This act was designed to promote and expand health information technology, such as the adoption of Electronic Health Records (EHR) and their associated systems. Additionally, this act brought changes to the breach notification requirements.
- PCI-DSS (Payment Card Industry Data Security Standard) – Although PCI isn’t the first thing that comes to mind when working with healthcare data, it is certainly something you should be aware of if handling payments, billing, etc. This standard highlights twelve security controls designed to protect payment related information, most commonly seen as credit cards. This type of data also goes beyond the typical treatment related payments, as credit cards are often processed in cafeterias and gift shops as well.
What happens when sensitive data is stolen?
Although finding and protecting sensitive data might seem like a difficult and expensive task, dealing with a breach is often several order of magnitudes worse. FierceHealthcare reports that for the first half of 2019, over 280 breach incidents have been reported to the U.S. Department of Health and Human Services or the media. They elaborate further, stating “Details were disclosed for 240 of these incidents, affecting nearly 32 million patient records”. It is no longer becoming an “if” organizations will experience a breach and has now entered a “when”. Thales security reports that “U.S. Healthcare Industry Needs a Shot in the Arm When it Comes to Data Protection: 70% experienced a breach; Less than 38% are encrypting”.
It shouldn’t come as a surprise that breaches are on the rise, as attackers are finding the records increasingly valuable. Experian reports that while a social security number may only be worth $1, credit cards can be worth over $100, and the value of a medical record can approach $1,000. If it is valuable, attackers will attempt to steal it; and healthcare is a high value target.
Given the amount and sensitivity of the data healthcare organizations deal with, data loss prevention has emerged as a key pillar for most healthcare IT security teams. But even with its growing importance, implementing and maintaining a DLP program can be difficult and expensive. Products in this space are often priced per device being scanned, which can very quickly lead to a 6 or 7 figure purchase for larger organizations. Additionally, some license models are restrictive in what can be scanned, forcing organizations to supplement with other products to gain complete visibility.
What is the solution?
Seeker is a Data Loss Prevention tool designed to help organizations find sensitive data on workstations, servers, databases, and more. The pricing model of Seeker is friendly to healthcare organizations of any size, offering up non-profit discounts as well as unlimited host scanning. With the ability to scan both Windows and Mac devices, file shares, and databases; Seeker is the ideal solution for organizations looking to deep dive into data loss prevention.
Ready to start? Download a free 30-day trial to see how quickly Seeker can find where your sensitive data is hiding.