Protect PHI and PII from employee misuse of privileged access

The modern healthcare system is rapidly changing with new and evolving technologies and equipment. 

These high-tech innovative technologies are replacing paper and it is clear that healthcare specialists should pay attention to, and focus on, organizational and technical issues, including the implementation of electronic medical records. It is also vitally important to maintain effective cost control of materials as well as optimizing costs whilst maintaining the quality of treatment. The use of cloud applications, IoT-enabled medical devices and patient portals all help to create larger, more sophisticated integrated healthcare networks.

However, these changes and improvements are associated with certain risks, namely increased cybersecurity threats that challenge healthcare data security.

According to the annual protected health information data breach report, the healthcare sector is the most susceptible of all sectors to cyber-attacks and human errors, which lead to the undesirable and embarrassing disclosure of confidential and sensitive patient data.

Focusing on cases of security breaches in healthcare and those cases where confidential information was at risk, 58%(link) of such breaches were the result of internal factors – something unique to the healthcare industry. A data breach can be the result of a single or multiple factors:

  • Malpractice of an administrator, who has access to sensitive personal information and payment details
  • Loss of privileged access credentials
  • Misuse of privileged access data when administrators keep their privileged access credentials in an insecure place, for example near their computers or under the keyboard. In this case, it presents no difficulty for an intruder to get access to valuable records and to use them for deceptive purposes.
  • Hacker attacks

The number of data breaches in healthcare has significantly increased in recent years due to the value of patient records. There are many examples of healthcare providers who have come across this problem. For example, The Employees Retirement System of Texas discovered a flaw in its ERS online portal that allowed certain individuals to view the protected health information of other members after logging into the portal. The cause of the breach was unauthorized access and potentially up to 1,248,263 individuals’(link) PHI (Protected Health Information) was at risk and viewable by other health plan members.

The same situation was repeated in Adams County where hackers gained access to its network and could see the PHI and PII (Personally identifiable information) of 258,102 individuals.

Did you know that the cost per one record in the healthcare industry is about $408? In comparison, the cost per record in the finance industry is about $206(link). Securing healthcare information systems is a trending topic now as healthcare data is the most expensive by industry and, as a consequence, more attractive for intruders.

In order to prevent data breaches, stricter regulations around healthcare access management have become necessary. The European Union countries increased penalties for non-compliance with GDPR and violation of patient data privacy. Currently, it may reach up to 4% of annual turnover excluding legal costs and compensation in cases of disclosure of confidential patient’s data. Healthcare organizations have spent an average of $6.5 million for the nine consecutive years, which is over 60 per cent more than all other sectors combined, according to a Ponemon Institute report(link).

Enterprises of all sizes are at risk. The cost of a data breach for the small and medium size organization with less than 500 employees may reach up to $2.5 million or 5% of annual revenue. For a large enterprise with over 25,000 employees, this increases to an average of $5.11 million(link). A single medical data security breach may resulted in bankruptcy of small and medium size companies and cause significant damage to large organizations, affecting not only the financial side but also the reputation of the organization. That is the reason why health data security is so important.

Based on our own experience we can confirm the aforementioned facts. One of our use cases was the implementation of access management in one of the government insurance organizations in Asia. This organization issues a unique code to each citizen for hospital attendance. However, reimbursements were sometimes stolen before they were paid to the citizens. In order to prevent such cases of unauthorized transfer of funds, it was decided to implement employee authentication using a mobile application. Now, when a citizen comes to the hospital an authorized employee must initially authenticate the patient. Firstly, the employee validates himself/herself by using face recognition and a unique code. Only after this validation can the system authenticate the customer. This approach was implemented in order to avoid the possibility of collusion between the employee and the customer. As a result, the problem related to unauthorized access is resolved due to the implementation of strong, two-factor authentication. Due to improved hospital access management, the level of corruption is now zero. 

Another use case is the cancer research center of Asia where there was a breach of confidential scientific research and patients’ private data due to the unauthorized privileged access of one of the administrators. The use of only data security passwords was not enough in this case. In order to secure the healthcare data of the center, it was decided to control the use of privileged accounts by making text and video records of the privileged sessions and to implement 2FA by TOTP and domain password. 

Now the passwords of administrative accounts remain secret and two-factor authentication for privileged access is used. Administrators can view video and text records of sessions in real-time and are then able to detect privileged accounts and take them under their control.

“Who is behind all this?” The main threat unexpectedly comes from: 

  • Vendors and third party players whose access to the infrastructure is uncontrolled.  They can configure all sorts of hardware and software. What exactly they are setting up and changing for the company may not be obvious as their rights are usually very extensive. Privileged access manager is useful to control their activity.
  • C-level executives, such as CFO and CIO who have uncontrolled access to information resources of your organization and to all sensitive data can initiate fundamental and sweeping changes to the infrastructure of your company.

In this regard, it seems more reasonable to pay attention to the cybersecurity health of your healthcare company. Privileged accounts are the main target for hackers and protection is especially important for healthcare organizations as privileged accounts can expose health information about patients. Privileged access management can have a significant and positive effect on an organization’s security and compliance with healthcare data security policies and regulations such as GDPR in European Union and HIPAA and HITECH in USA and can help in solving the problems of understanding who has access, to what extent and for what. 

So, what are YOU going to do and what actions will YOU take to protect the cybersecurity health of your organization?

More