The Health Information Technology for Economic and Clinical Health (HITECH) Act transformed how public and private healthcare providers store and access clinical information. As the healthcare industry adopted electronic health records (EHR) systems, the amount of patient health data skyrocketed. Each year, a single patient generates around 80 megabytes of EHR data.
Today, around 30% of our global data volume comes from the healthcare industry. This amount is expected to grow even further, with the compound annual growth rate (CAGR) for healthcare data estimated to reach 36% by 2025.
Data security in healthcare is essential to protect this highly sensitive information from unauthorized access, loss, destruction, and more. Insufficient data security can leave healthcare organizations vulnerable to a host of risks, such as costly fines, reputational damage, and business loss.
In this article, we will explore why data security is so important in the healthcare industry. This will include the top benefits of data security, as well as real-world examples of how data security incidents impact healthcare organizations.
Why data security is imperative in healthcare
Cybercriminals target protected health information (PHI) due to its high value on the dark web. This is because a single medical record contains a host of sensitive data, including financial details, personal information, Social Security numbers, and more. When stolen data is sold on the dark web, healthcare records sell for an average of $250, compared to approximately $5 for payment card details.
The healthcare industry is subject to several federal, state, and industry-specific data protection laws. The most well-known example is the Healthcare Insurance Portability and Accountability Act (HIPAA). HIPAA rules apply to covered entities (e.g., healthcare providers, health plans, clearinghouses) and their business associates.
While HIPAA’s data privacy and security standards are often more stringent than other industries, it’s still important for healthcare organizations to closely follow other data privacy laws. For example, 13 states have stricter regulations than HIPAA when it comes to medical record access.
Failure to comply with these regulations can result in monetary penalties exceeding hundreds of thousands of dollars (based on factors such as the severity of the breach, mitigation efforts, and the number of individuals affected).
Benefits of data security
Advancing digital technologies mean that today, patient records are held on servers, computers, and storage devices rather than stored on paper in file cabinets. All this information is accessed, updated, recorded, and shared between multiple facilities and healthcare providers.
A robust data security strategy does more than secure healthcare data against cyberthreats. It also plays a critical role in controlling malicious and negligent insider threats, which are a top cause of data loss. According to the Ponemon Institute’s 2022 Insider Threats Report, 56% of data breaches involving an insider are the result of careless or negligent behavior.
For example, 63% of employees worldwide are using personal file sharing systems for work-related data. While unintentional, this creates an immense opportunity for information loss and compromise because consumer-grade solutions do not offer sufficient data security controls.
When it comes to protecting healthcare information, data security offers the following benefits:
Safe harbor for HIPAA’s Breach Notification Rule. According to HIPAA, data encryption is an effective security measure for protecting PHI. Following a breach, healthcare organizations do not have to notify affected individuals so long as the information was encrypted properly. This is because encrypted data cannot be used by unauthorized individuals, creating a safe harbor for breach notification requirements.
Better care outcomes. According to the Cybersecurity and Infrastructure Security Agency (CISA), cyberattacks have a direct impact on patient mortality. An attack on a healthcare organization’s network can render patient records inaccessible, disrupt communications, and delay treatment and testing. Prioritizing data security is an effective way of ensuring continued delivery of quality care.
Increased cybersecurity awareness. Data security policies ensure that all staff are educated on the value and importance of securing healthcare data so that they can detect and respond to fraudulent behavior. This is especially important for smaller health systems and specialty clinics that often lack the security levels, staff, and budget for robust cybersecurity defenses.
Data security incident examples
The healthcare industry remains a top target for cyberattacks, threatening both organizations and patients. In 2022 alone, more than 40 million patient records have been exposed or stolen due to security vulnerabilities in EHR systems.
Much of the threat landscape centers around outdated legacy systems, limited IT budgets, and a growing shortage of healthcare cybersecurity personnel. In addition, the growing use of connected medical devices also expands a healthcare organization’s attack surface. This is because 68% of health entities don’t consistently update devices when new security patches are available.
Without proper preparation, data security incidents can result in operational downtime, loss of public trust, financial consequences, and more. The following recent examples demonstrate the importance of comprehensive data security:
Legacy Health. Portland, Oregon-based Legacy Health experienced a data breach caused by an insider threat. A lab employee copied patient records to their personal storage devices using email and external drives. The compromised files contained patient names, medical record numbers, health insurance information, and other types of personal data.
Broward Health. In October 2021, an unauthorized individual used a third-party medical provider’s office to gain access to Broward Health’s network. More than 1.3 million patients and employees were affected, and the breach investigation revealed that prior to the incident, the health system lacked basic data security measures such as multifactor authentication (MFA).
Partnership HealthPlan of California (PHC). A cyberattack took down PHC’s computer systems in March 2022. The Hive ransomware group took credit for stealing 850,000 PII records from PHC, as well as 400 GB of files stored on PHC’s server. The health plan faces a lawsuit in which plaintiffs allege that PHC failed to provide basic data security measures, including user authentication practices, security privileges, and patching/updating protocols.
How WinZip Enterprise ensures data security in healthcare
Data security is focused on three primary components: confidentiality, integrity, and availability of data. Also known as the CIA triad, this data security model helps organizations ensure that information is kept safe from unauthorized access, cannot be altered by unauthorized individuals, and is readily accessible to authorized users.
When faced with ever-growing cybersecurity threats, WinZip Enterprise helps healthcare organizations secure the components of the data security CIA triad. This fully customizable solution features a complete set of data security tools, including:
Encryption. File-level encryption safeguards highly sensitive PHI data both at rest and in transit. Whether data is stored in a device or actively moving from a sender to a receiver, encryption renders the information unable to anyone without the proper encryption key
Access control. An access control system limits user access rights to only what is needed for an individual’s job role. Administrative controls to manage access and permissions include MFA, principle of least privilege (POLP) access, and using audit logs to quickly detect anomalous behaviors that could compromise data security.
Data backup and compression. If a cyberattack compromises, corrupts, or erases data, backing up files creates a safety net for quick information recovery. WinZip Enterprise also compresses backup files, which reduces data storage costs while maximizing the capacity of a backup server.