Sergey Nivens - Fotolia


For effective healthcare data protection try a 'layered' approach

Healthcare organizations can protect patient data from breaches with a three-layered approach that combines traditional and advanced protection features.

With the proliferation of electronic health records, as well as an increasing number of data breaches, protecting patient information is of the utmost importance. A recent study by the Ponemon Institute revealed that, out of 91 surveyed HIPAA-covered entities and 84 business associates, 89% suffered from data breaches. About half of those breaches were caused by criminal cyberattacks.

In addition to traditional cyberattacks, such as theft and denial of service, there are also emerging threats, such as blackmail and extortion. In June 2016 alone, nearly 10 million patient records were posted for sale on a dark web market for prices ranging from 30 bitcoin ($19,000) to 375 bitcoin ($240,000).

To fend off cybercriminals, organizations should use a three-layered approach to healthcare data protection, according to David Dimond, CTO of global healthcare business for EMC. EMC, which sells healthcare data protection and medical imaging services, is in the midst of merging with Dell.

The three-layered approach to healthcare data protection consists of:

  • Traditional data protection best practices
  • Additional hardening and protection features
  • Advanced protection services

"[The first layer of] the three-layered approach goes into taking your traditional data protection, making sure they're implemented with best practices," Dimond said. "And that's looking across all your systems and focusing on independent backups across all your systems with data replication."

The second layer involves adding deep hardening protection features. "This is to make sure across all network spans that you have encryption in flight for PII, PHI, [and] you have encryption at rest," Dimond said. Encryption in flight means data is encrypted as it moves through a network. Encryption at rest refers to encrypting data that is not moving, such as data that is stored on a hard disk drive or solid-state drive.

The three-layered approach to healthcare data protection consists of traditional data protection best practices, additional hardening and protection features and advanced protection services.

There should also be a separate security team that understands which users are accessing what devices, as well as understands the consistency of user access. This team should also have user access security logs. The security team also has the "locks and keys" to access data. At this stage, it's also vital to educate users and enforce policies that strengthen healthcare data protection, including password reset procedures.

The third layer focuses on advanced protection services that incorporate security analytics. Advanced security analytics can detect threats and monitor network traffic and transaction logs. At this stage, the security team members should be able to tell hospital executives that they not only have a plan to deal with a breach, but that they can isolate the system until the network threat is shut down.

"The first layer was really the traditional best practices, what was done," Dimond said. "The next layer is getting closer to the core, the hardening and protection features, the encryption. And this last one is the advanced protection services -- security analytics and vaulting coming together as core technologies."

"The idea of a layered data protection approach is that there's a stronghold [for the most critical data]," Dimond said. "There's a secure vault that's isolating what's called an air gap." The air gap temporarily connects network ports to allow synchronization and then disconnects to ensure that the protected data remains isolated. Data is intermittently copied from backup systems or production storage to an isolated recovery environment across the air gap, which allows an organization to "recover almost instantly" in case of a breach, he said.

"It's a new way to think about [data protection]," Dimond said. "The idea here is that you will be attacked, that you need to have a strategy around a metric called the destruction assessment objective, the DAO." The DAO is the amount of time allowed for an organization to identify the specific type of cyberattack as well as execute a remediation plan. Exceeding the DAO will typically activate data recovery procedures.

Next Steps

How hospital executives can stop future data breaches

Strategies for preventing HIPAA data breaches

Include mobile data in hospital data protection policy

Dig Deeper on Electronic medical records security and data loss prevention