How to Protect PHI and Patient Data
The final numbers have yet to be released but HIPAA Journal reports that more than 41.1 million records were exposed, stolen, or disclosed without permission in 2019, marking last year as the worst for healthcare data breaches. What’s even more troubling is that even though 2020 is predicted to be another record-breaking year in terms of healthcare data exposure, investment in cybersecurity within the healthcare industry simply isn’t keeping up:
- On average, hospitals dedicate 6% of their IT budget to cybersecurity. For physician groups, that number falls to below 1%.
- 92% of healthcare organizations don’t have full-time cybersecurity professionals.
- 96% of IT professionals said threat actors are outpacing healthcare organizations.
- Organizations spend money on marketing to repair damaged reputations after a breach than on addressing the consequences of data breaches.
As a result, healthcare organizations desperately need more CISOs and cybersecurity professionals, but a nationwide cybersecurity skills gap presents a challenge of its own. We’d argue that it is this lack of investment in cybersecurity that not only leads to damaging breaches, but also to unauthorized third-party access in the name of research. No matter the threat, healthcare organizations must place more of an emphasis on protecting personal health information (PHI) and patient data.
Patient Data is at Risk
When it comes to research, the big four tech companies—Amazon, Apple, Google, and Microsoft—are racing into the healthcare industry, each targeting a different sector to transform or disrupt. With this, one of the most predominant concerns is the handling of patient data and PHI. A recent investigation by the Financial Times analyzed 100 healthcare websites and found the vast majority enable tracking and sell the data—including prescriptions, fertility, and menstrual information—to many of the largest tech companies.
Late last year, Project Nightingale was revealed in a series of Wall Street Journal articles that described Google’s work with healthcare giant, Ascension. At the time, Google had secretly been collecting and analyzing the personal health information (PHI) of millions of patients across the country which prompted a federal inquiry that still has not been satisfied.
According to the Wall Street Journal, “the data involved in the initiative encompasses lab results, doctor diagnoses, and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.” The most troubling is part is that both patients and doctors were not informed that sensitive data was shared with Google. Despite the claim that the project’s goal is “ultimately improving outcomes, reducing costs, and saving lives” and that Project Nightingale was compliant with HIPAA, questions were left unanswered and patients were left feeling helpless that they didn’t have control over their own personal data.
Encryption Protects PHI and Improves Collaboration
Protecting patients and PHI may feel like a daunting task when the Silicon Valley tech giants are involved but the reality is that with flexible, easy-to-use data protection in place, healthcare providers can empower patients to take back control of their data. And it’s a win-win. With robust protection at the object level, sharing—via secure file transfer or IoT devices to name a few—data securely is possible and as a result, so is collaboration and improved care outcomes. We are on the verge of significant societal benefits and impact as medical breakthroughs become possible thanks to the wealth of health data and big data analytics. But, these benefits rely on trusting that the data will be secured. With 83% of enterprise workloads predicted to be in the cloud this year, protecting data in the cloud from the cloud provider itself must be a priority.
The use of custom applications is on the rise which when coupled with the cybersecurity skills gap means healthcare organizations need a technology partner that can step up. Last year, we released the Virtru Data Protection Platform: a set of privacy engineering tools for developers that can be easily and seamlessly integrated into any application, connected device, and infrastructure. For healthcare organizations with a need to securely share PHI, layering Virtru’s data protection and access controls into their custom applications provides the control needed to protect PHI, all without changing the way you work today.
To see how Spring Venture Group, a leader in matching patients with health insurance plans, is using the Virtru Data Protection Platform to protect PHI and patient data, download a copy of the case study.
If you’re ready to protect PHI and learn more about how Virtru can help accelerate your organization’s data protection program, get in touch with us today!