A layered approach, including safeguards against your own privileged users, may be your best bet for data security.
Healthcare industry IT has traditionally focused on improving patient care. When it comes to protecting sensitive information, the attention has been around securing physical documents and facilities. While this has helped with privacy from the physical loss of data, in a growing number of cases cyber assets have been left at risk.
Healthcare data: Low-hanging fruit for hackers
Since many financial and retail organizations have stepped up security following high-profile data breaches in recent years, healthcare organizations became a top target in 2010.
According to the Identity Theft Resource Center (ITRC), 113 healthcare institutions were hit by data breaches between January and July 2010, nearly three times what the financial sector experienced in the same timeframe. According to the HHS, 214 healthcare organizations were breached in 2010 (as of December 27), with 6.3 million patients affected.
While medical data may not be as attractive as credit card numbers, medical records are incredibly valuable to those interested in committing insurance fraud or stealing identities.
So it's easy to see why database servers — in any industry — have become hot targets for cyber criminals and rogue insiders.
Don't hang your hat on HIPAA or perimeter security
Simply passing IT compliance and HIPAA audits with “checks in the boxes” doesn't make an organization secure.
Perimeter security and trusted insiders can often be threats, whether intentional or not.
Of course, healthcare isn't the only industry where insiders can be threats. Verizon's 2010 Data Breach Investigations Report showed that nearly half of the data breaches across all industries were caused by trusted insiders.
When it comes to information security, there are two major considerations for the healthcare industry:
1. Many hospitals are focused on preventing unauthorized access by outsiders, using firewalls, rather than preventing intrusion by insiders. Firewalls as a standalone are insufficient. They must be part of a larger solution that layers approaches to include the monitoring and auditing of sensitive data.
2. Healthcare organizations are more focused on preventing accidental or physical data leakage via e-mail or lost laptops, while the risks and costs associated with incidents caused by rogue administrators, such as database administrators (DBAs), developers and outsourced personnel who have virtually unlimited access to critical data, are significantly higher. Many organizations are not monitoring activities by these privileged users, and as a result are not even aware of data breaches until it is too late.
Data breaches have declined in the financial sector because financial companies have moved beyond perimeter security. All of the major banks have implemented technology to monitor and protect sensitive information stored in databases — preventing unauthorized access by insiders and outsiders. Healthcare organizations are falling behind, and the health information exchanges outlined under federal meaningful-use guidelines of electronic medical records will centralize data in big data warehouses, making data breaches an even bigger risk.
It would be good for healthcare organizations to take a page from the healthcare insurance providers and pharmacy benefit providers. Many of those companies have already followed the financial industry's suit and deployed database security and activity monitoring technologies to protect their financial/ERP data and comply with regulations such as SOX.
With more than 214 healthcare organizations breached in 2010, and more than 6.3 million patients now at risk (according to the U.S. government), we need to advance beyond the perimeter approach and physical focus and concern ourselves with insiders to help protect patient data in 2011.
Phil Neray is VP of security strategy, IBM/Guardium.
For more information on