A view from the Center

Deloitte's Life Sciences & Health Care Blog

Data protection for health systems: From the inside out

If we’ve learned anything about the state of data security in 2016, it’s that health care organizations are getting better at recognizing the cyber threats they face – and hackers are getting even better at penetrating medical data stores and compromising personal health information.

Two recent breaches in the health care industry underscore the severity of the threat. Earlier this year, a big health insurance network was targeted by cyber thieves who breached a third-party contractor and exposed the records of an estimated 3.3 million customers.

More recently, a hospital system suffered an attack that targeted a point of sale (POS) theft of credit card information in a hospital cafeteria. The breach highlighted a new vulnerability outside of traditional cyber attacks on health care systems where POS breaches may open a door to those seeking to infiltrate more sensitive medical data systems.

Cardholder systems. For some time, one key area of focus for Deloitte has been on how to withstand attackers who use cardholder systems to gain entry into the broader and more lucrative area of personal health information. Cardholder systems provide attackers with new opportunities to siphon valuable information, and they are taking advantage. Such breaches can be easily monetized.

While new lines of defense (including greater use of EMV or chip-embedded credit cards with corresponding PIN numbers) are increasing to make hacking more difficult, many attackers respond by going after back-end databases where critical personal information is stored.

Electronic health records. Electronic health care records maintain a longer shelf life than credit card data, and hackers can use them for identity theft. Medical information has a high resale value in dark web circles. According to industry estimates, the street value of stolen medical information is about 50 times the value of a stolen Social Security number. The average cost to victims of medical identity theft is believed to be about $20,000, an estimated 10 times the value of regular identify theft.

The openness of the industry – with frequent crossing of provider, plan, and research borders – offers even more complexity and greater control challenges. With the growing digitization of health care and big data analytics for population health management, attackers can strike even more fiercely once they’ve found their way into the network by whatever means available, as a recent breach showed. As a rule of thumb, it’s wise to assume cyberattackers aren’t just coming; they’re already here.

Health care is an attractive target because of the comparative lack of strength and maturity of data controls. Simply adding new layers of data control without fully grasping the threat and how best to respond can be counterproductive. Health care leaders should instead focus on developing an “inside out” approach, identifying key principles to build a productive defense. In particular, here are three:

First, inventory and classify sensitive information. Know what’s at stake. Taking stock of all data sources and storage capabilities should be top of mind for all executives and their leadership teams.

Once an inventory has been established, reduce the value of sensitive data. Putting all of an enterprise’s data assets in one basket invites disaster. The goal should be to encrypt or de-identify key medical data and spread them around in different data siloes to reduce the value of a single database should it be compromised.

Implementing data-layer protection capabilities can help to both prevent and detect data breaches at an organization. These would be a “last line of defense” such as monitoring access to sensitive databases or terminating a suspicious data transfer.

For health care organizations, the bottom line is twofold: Discourage hackers who want to breach their databases by building stronger preventive systems, and limit the damage once the protective veils have been pierced. Health care leaders entrusted with securing an organization’s data security must make it harder to penetrate high-value medical files and recognize that the front door to them may be a hospital garage or cafeteria checkout counter.

Author bio

Jimmy Joseph is a Senior Manager with Deloitte & Touche’s Technology Risk Services practice. Jimmy has 18 years of experience in Information Technology and Risk Management and he specializes in delivering cyber security and data protection advisory services to the health care industry. He is a trusted advisor to several senior executives (CISO, CIO) in the health care provider and plan sector. Jimmy holds HCISSP, CISA, and PMP certifications.