The healthcare industry continues to struggle immensely with data protection and cybersecurity. Every few weeks there is another devastating breach, with HealthEquity being the latest example. In this incident, the benefits management administrator fell victim to an unauthorized third party infiltrating a data repository outside its core systems, leading to 4.3 million patients’ personal information being compromised.
These incidents are increasingly disruptive and costly. From small rural clinics to major hospital systems, healthcare providers are grappling with attacks that compromise patient data, disrupt critical services, and even put lives at risk.
The recently proposed Healthcare Cybersecurity Act represents a significant step in addressing the growing cybersecurity challenges in the healthcare sector. In this post, we'll examine the potential implications of this act and discuss the need for robust, data-centric security measures to protect sensitive information across the healthcare ecosystem.
The Growing Threat Landscape
The healthcare industry has become an increasingly attractive target for cybercriminals. The recent colossal breach of Change Healthcare serves as a stark reminder of the far-reaching consequences of these attacks. The estimated cost of this breach is estimated to potentially exceed $1 billion.
The proposed Healthcare Cybersecurity Act recognizes the urgent need for a coordinated, industry-wide approach to cybersecurity. By mandating collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), the act aims to provide healthcare organizations with the resources and knowledge they need to defend against cyber threats.
The Critical Role of Data-Centric Security
The Healthcare Cybersecurity Act is a step in the right direction: As cyber threats escalate in healthcare, organizations need to share information and resources with each other rather than operating in silos. But, at the end of the day, true security begins and ends with the data itself. Here are a few ways that healthcare organizations can benefit from a data-centric approach:
- Protection Beyond Healthcare Perimeters: Traditional security measures focus on securing networks and devices. Data-centric security ensures that the information itself is protected, regardless of where it resides or how it's shared. In healthcare, information sharing is inevitable: A medical practice will need to share patient records with other providers, insurance companies, and patients themselves. As this sensitive data moves, it must remain controlled and protected.
- Granular Access Controls: Access to sensitive patient information can be limited to only those who truly need it, reducing the risk of internal threats and accidental exposure.
- Persistent Protection: Data-centric security measures, like end-to-end encryption, ensure that data remains protected throughout its lifecycle – from creation to sharing and storage.
- Comprehensive Data Governance: Effective data governance is essential for maintaining compliance with regulations like HIPAA. This starts with appropriately tagging and storing patient data, as well as maintaining visibility into where and how it is shared. A strong data-centric security posture provides the visibility and control needed to enforce policies and maintain audit trails.
Looking Ahead
The Healthcare Cybersecurity Act is a crucial step in addressing the cybersecurity challenges facing the healthcare industry. However, it's important to remember that legislation alone is not enough. Healthcare organizations must adopt a proactive, data-centric approach to security to truly safeguard patient information and maintain the trust of those they serve.
At Virtru, we're committed to partnering with healthcare providers, insurers, and other stakeholders to create a more secure digital healthcare ecosystem. Together, we can ensure that the promise of digital healthcare is realized without compromising the privacy and security of patient data.
/headshot2.jpeg)
