- I still find challenges within the healthcare world when it comes to file sharing and data management. Sure, we can remove Dropbox or other types of file sharing mechanisms, but are we making the user experience worse? And, are we really plugging up all of the necessary file sharing holes and maintaining healthcare data security?
Remember, the cost of data breaches are increasing. Breaking a downward trend over the past two years, a Ponemon study found that both the organizational cost of data breach and the cost per lost or stolen record have increased. On average, the cost of a data breach for an organization represented in the study increased from $5.4 million to $5.9 million. The cost per record increased from $188 to $201.
●Malicious or criminal attacks result in the highest per capita data breach cost. Consistent with prior reports, data loss or exfiltration resulting from a malicious or criminal attack yielded the highest cost at an average of $246 per compromised record. In contrast, both system glitches and employee mistakes resulted in a much lower average per capita cost at $171 and $160, respectively.
●The results show that a probability of a material data breach over the next two years involving a minimum of 10,000 records is nearly 19 percent.
Similarly, Juniper research suggests that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.
Unfortunately, healthcare data breaches happen far too often. If you need to catch up on the latest ones – feel free to read up here. It’s never easy to be completely prepared for a security incident. But, there are good ways to be prepared.
With that in mind, let me share an experience with you.
The story starts here: a healthcare provider was battling the impacts of mobility. Doctors, nurses, and healthcare associates were all now utilizing a number of different devices to connect and access information.
This is going to be an example of a data breach that wasn’t malicious, but could have been bad.
While working with a few medical staff, an administrator noticed that a lot of information was being saved locally on a staff member’s device. These were corporate owned, but they were increasingly being loaded with data.
While working to resolve a separate issue, the IT admin noticed that Dropbox was installed and had been syncing when the device was off the network. When questioned, the associate said that they were able to install it and that they were only syncing documents that did not contain any healthcare or patient information.
Although this was true, what if a user accidently started synchronizing a folder with patient info? What if that user wasn’t doing it accidentally?
To resolve this issue, the healthcare organization brought up the challenge of data residing at the end-point and deployed a proactive mobility control and monitoring solution. Leveraging Cisco technologies, firewall management, data loss prevention engines, and better file sharing controls, data at the end-point was basically eliminated. It was replaced with secure access to central data repositories wrapped with greater controls.
More than ever before, healthcare organizations must deploy tighter controls around file sharing and cloud resource sharing. However, these security measures should not impede user functionality.
But, finding a good balance is always a challenge.
The cloud can be your friend
Remember, new regulations are allowing you to take data and storage directly into the cloud. For example, a recent change to HIPAA (the Omnibus Rule) now allows for the creation of a business associate. This can be any organization that has more than just transient access to data, such as FedEx, UPS, or the US Postal Service. An example of this kind of service would be Citrix ShareFile Cloud for Healthcare. This kind of solution lets healthcare organizations collaborate with their data both on the premises and in the cloud. Providers like AWS, Rackspace and many others have also jumped on this bandwagon. So what does this mean to you? If you’re a small organization or a business concerned about their data, look up to the cloud for help. Pricing is a lot more competitive than it was before and security solutions within the cloud are really advancing.
Conduct pen and vulnerability tests
So much can change in just a day or two. You could have a group of new users starting at a hospital, or you might be deploying a new critical application. All healthcare organizations should be doing penetration and vulnerability testing. And, they should be done frequently, and sometimes randomly. It’s not like you can schedule a data breach. The same concept applies to vulnerability assessments. My experience has found everything from poorly configured (web-facing) printers, to long unpatched (probably lost) network devices. The other thing is that you don’t have to (and maybe shouldn’t) do this alone. Having a good partner help you with your security assessments gets a fresh set of eyes on your architecture.
Train your users
A good security practice comes down to three very simply concepts: People, Process, and Technology. You can have the best security system in place, but if you don’t train your users or build a culture around security awareness, you’ll still have serious gaps in your security strategy. Help users understand the importance of security, how it helps protect your brand, and how it’s critical to help protect your patients. A good training program won’t only help people become more aware of their security environments, it’ll help them think before they share or click on a file.
Working with file sharing doesn’t have to be a nightmare. As the average doctor and patient becomes more connected, we’ll experience an even greater influx of data. Sharing information can absolutely be controlled through good security measures and best practices. They key is to constantly test your own security architecture and never, ever, become complacent.