Mage Data

Category: Blogs – HLS

  • Data Privacy Solutions for the Healthcare Industry

    Data Privacy Solutions for the Healthcare Industry

    Gaps in data privacy regulation and a lack of trust in existing systems plague the healthcare industry. 80% of patients surveyed say they will not return to the same provider after an experience that caused them to lose trust. Providers must rebuild trust in healthcare, and data privacy is an important place to start.

    Legislators continue to work on mandates enforcing the privacy of protected health information (PHI). At the same time, new legislation forces organizations to make health information available and portable, giving patients greater access to their electronic data. These competing ideas create a compliance minefield for organizations to navigate.

    Healthcare organizations manage large, complex data sets. It’s already a challenge to maintain mountains of information, and the need to make information available complicates things further. Patients must be able to access their own health information with ease, but the unauthorized parties absolutely must be denied access. Portability can’t come at the expense of data privacy.

    Data Privacy Issues in the Healthcare Industry

    As the size of data grows, so does the median size of data breaches, reports the HIPAA Journal. Since 2009, the Department of Health and Human Services (HHS) has received more than 4,400 reports of significant breaches—and that only counts sizable breaches where 500 or more records were compromised.

    Overall, the number of lost, stolen, or improperly exposed healthcare records is greater than 314 million, reports the HIPAA Journal. To get a grasp of the scale of this problem, consider that the entire population of the United States is roughly 330 million people.

    The HIPAA Journal also reports more frequent hacking and related IT incidents, a 9.4X increase from 2015 to 2021. To keep pace with the sharp uptick in incidents, the Office for Civil Rights (OCR) has to pass down more penalties. The reported volume of OCR Penalties for HIPAA enforcement jumped 600% between 2010 and 2020.

    Offending healthcare organizations pay fines, settlements, and civil monetary penalties (CMPs). The total cost of such payments has exceeded $10s of millions. Healthcare breaches are dramatically more common and more costly.

    Fortunately, healthcare IT professionals can implement data privacy solutions to mitigate or eliminate risks. This is the way to protect patient information at scale.

    Key HIPAA Rules for Healthcare Privacy

    There are two key HIPAA rules to consider for healthcare privacy:

    The HIPAA Privacy Rule (45 CFR §164.530) protects PHI and medical records by limiting unauthorized use and disclosure. Patients must be able to inspect their records and make changes to their files.
    The HIPAA Security Rule (45 CFR §164.308) defines standards, methods, and procedures to protect PHI. These standards relate to data storage, accessibility, and transmission.
    These rules begin to address common data privacy challenges in the healthcare industry. HIPAA’s rules for healthcare data privacy exist to protect patients, but they also put organizations between a rock and a hard place.

    For example, hospitals can’t eliminate information or print it for storage in a secure facility – doing so would deprive patients of convenient access to their health data. On the other hand, the information can’t be too accessible to the point where unauthorized parties gain access. Organizations have to protect the privacy of data from some parties while removing all barriers to access for the appropriate patients.


    Beyond HIPAA: Patient Consent and Evolving Policies

    HIPAA rules like the two above are the bare minimum for data privacy in the healthcare industry. HIPAA preempts and overrides less protective privacy laws. It does not, however, affect laws that protect privacy more thoroughly. That is, healthcare providers may also be held accountable to other standards even beyond HIPAA.

    Federal and state laws may impose additional requirements on healthcare organizations. For example, they may regulate the ways patients consent to information disclosure. Evolving legal factors play a big part in the way healthcare IT professionals practice data privacy. Different organizations face unique challenges, but there are several common themes

    Common Healthcare Data Privacy Challenges

    Electronic Health Records (EHRs) and Health Information Exchanges (HIEs) present healthcare data security challenges. Patients must get easy access to their information, but the same information must be inaccessible to unauthorized parties. The IT infrastructure must be simple enough to be efficient, and advanced enough to repel sophisticated threats.

    The Health Information Technology for Economic and Clinical Health (HITECH) Act adds complexity. HITECH has since been folded into HIPAA. The legislation encourages transparent sharing of medical information across numerous providers. The high portability of information allows patients to receive care from any number of providers. Unfortunately, it also creates a colossal attack surface.

    Healthcare Data Privacy Solutions

    IT professionals ensure healthcare data privacy by implementing the appropriate privacy-enhancing technologies (PETs). Healthcare PETs offer multiple ways to maintain privacy.

    • Data discovery
    • Data access control
    • Database activity monitoring
    • EHR data masking
    • Healthcare organizations can use these techniques in concert. Comprehensive data privacy plans protect patients and maintain compliance.

    Data Discovery

    Sensitive information can’t be encrypted or masked until someone knows where it is. Data discovery solutions uncover sensitive information in obscure locations throughout an organization. The most complete technologies account for structured data, unstructured data, big data, and the cloud.

    Authentication, Access Control, and Activity Monitoring

    Restricting access to authorized users is at the core of data privacy. Healthcare IT professionals typically use access rights automation and database activity monitoring. Responding to Right to Access and Right to Erasure requests is faster after automating data subject access rights. Database activity monitoring provides audit-ready reporting at all times.

    Data Masking in Healthcare

    Data must be secure in all states for EHR data masking to work. That is, data masking solutions must protect data at rest, in transit, and in use.

    Static data masking techniques protect data in pre-production and non-production environments. Such techniques include encryption and tokenization. Dynamic data masking techniques provide control of sensitive data in production environments. This is critical when protecting PII, PHI, and other sensitive data in the most vulnerable states: in-transit and in-use.

    Patented Vs Open-Source Data Masking in Healthcare

    There are open-source data masking solutions. Unfortunately, native and open-source anonymization solutions have three limitations:

    • Scalability across databases
    • Flexibility of anonymization methods
    • Analytics access to achieve valuable insights without sacrificing privacy

    It isn’t always enough to tick individual boxes on a data privacy checklist. Patented solutions take the more holistic, comprehensive approach to healthcare data privacy.

    Healthcare Data Privacy: The Big Picture

    Healthcare information systems use various PETs to meet their unique needs. Data must be kept private while retaining its utility for all relevant processes. Working across multiple database platforms requires portability and flexibility, but also consistency.Healthcare data privacy solutions must be highly scalable and maintainable. The data landscape continues to sprawl and data volume is constantly growing. Outsourcing privacy-enhancing technologies is the fastest way to implement effective healthcare cybersecurity measures.

    Choosing Privacy-Enhancing Technologies for the Healthcare Industry

    Privacy-enhancing technologies help healthcare organizations achieve optimal data privacy without forsaking utility. The first step is discovering all sensitive information. From there, cybersecurity implementers can use encryption, tokenization, and masking to secure data. Consistent scanning brings threats to light immediately, and associated reporting demonstrates compliance. Schedule a demo with MAGE DATA to see how our tools can ensure the privacy and security of your healthcare data.

  • Data Privacy Regulatory Compliance: A Primer

    Data Privacy Regulatory Compliance: A Primer

    Businesses can get into serious legal trouble if they don’t take care of customer data. But, that’s not the only reason that data privacy is important. Improper access to data and data breaches can have profoundly negative consequences on your employees and your users. Handling personal data correctly not only protects your business, but also shows that you’re treating your customers and employees ethically—and ensures that their data is safe from prying eyes.

    To meet those lofty goals, businesses need a comprehensive approach to data privacy grounded in modern best practices.

    What is Data Privacy?

    Before diving into the mechanics of data privacy, it’s important to understand the field’s evolution and how we got to where we are today.

    A History of Data Privacy

    The Privacy Act of 1974 is arguably the first data privacy act passed anywhere in the world. Given the rise of electronic databases across government agencies and the ease of sharing data between them, there were new avenues for potential abuse of private information. In passing the law, the US government established four principles that have heavily influenced subsequent data privacy laws.

    First, it requires government agencies to show individuals a copy of any records it keeps on them. This is very similar to the “Right to Access” that appears in later laws. Second, it outlined “fair information practices,” which were designed to better manage how government employees collected and used personal data. Third, it restricts how agencies should share personal data with individuals and other agencies, though law enforcement was generally exempted from this practice. Fourth, it allowed people to sue the government for mishandling the data, establishing that data privacy was important and deserved a legal remedy when it was violated.

    The next major data privacy law came in 1998, with the Health Information Portability and Accountability Act, or HIPPA. One of the critical innovations of this approach to data privacy was the acknowledgment that some kinds of personal data were more sensitive than others and required greater safeguards. In this instance, medical information was put in the spotlight. While it has transformed how the medical industry handles personal information, it was only a glimpse of things to come.

    While the Privacy Act of 1974 and HIPPA focused on governmental and medical records, recent laws have focused on personal information of nearly every type and across all industries. The General Data Protection Regulation, which went into effect in the EU in 2018, heavily restricted how companies could use data, required consent for data use, and created a “right of deletion” for personal data held by companies. Likewise, the California Consumer Protection Act, which went into effect in 2020, places a strong emphasis on consent when processing personal data and allows for legal remedies in the case of a data breach.

    Why Do Companies Retain Records, Anyway?

    Given the headache of managing data in the modern regulatory environment, it’s fair to wonder why companies do it. Here are the core reasons companies collect, store, and manage data as a part of their regular business.

    Provide Core Business Services

    The first and most important reason companies collect and store information is to provide their core business services. Imagine that you’re a retail company trying to fulfill an online order without the customer’s name, address, or credit card information. It would be impossible! Nearly all businesses need some customer information to run their business. However, for many organizations, the complexity of the data collected is much higher.

    For example, a mortgage company may need detailed information about employment and pay and one or multiple credit reports. And it may need to hold onto them for a while, or request updates, as the customer in question shops for a home during a changing economic environment. Or a medical company may hold extensive information about a patient’s health and healthcare, with records that date back years. Doctors need that information to provide the right care to their patients.
    Your company may differ from those listed above. However, the fact remains that there are likely fundamental business processes that you would be unable to run without collecting and using customer data.

    Analyze and Project Business Performance

    Customer data may also be needed to analyze and project business performance. Historical reporting often tangentially or directly requires customer data. Without it, there would be holes in the report and gaps in the business’ understanding of how it was doing. However, historical reporting is only part of the equation. Businesses need to innovate to remain competitive and want to find ways to increase their sales and revenue. Data, especially customer data, may hold the secrets to unlock these advances.

    Meet Regulatory Requirements

    Sometimes, organizations must hold on to personal data for a certain period to meet regulatory requirements. This is more common when the organization or the information it keeps are related to finance, medicine, or education—but it can happen in any industry. It’s important to ensure that your business complies with these laws, as failing to do so can result in severe fines and a significant hit to your company’s public reputation.

    Learn More About Data Privacy Regulatory Compliance

    Handing data is a core part of just about any business operation today. Given that it’s so central to what businesses do, it’s important that they both manage data as efficiently as possible and comply with the privacy laws worldwide that dictate what they can’t and must do with their data.

  • What is HIPAA Compliance?

    What is HIPAA Compliance?

    HIPAA, or the Health Insurance Portability and Accountability Act, is one of the first data privacy laws passed anywhere in the world. It has transformed how companies handle personal health information in the United States and made it one of the most protected data types. It has also resulted in healthcare providers and companies struggling with innovation and the high cost of HIPAA compliance. The question in modern health care is, “can companies and medical practices comply with HIPAA while remaining flexible and controlling their costs?”

    HIPAA Regulations

    This article isn’t a replacement for the advice of a qualified legal professional with detailed knowledge of your practices. Instead, it’s meant as a primer to help decision makers understand what HIPAA is generally asking for, and what compliance options they may have. With that in mind, let’s dive into HIPAA.

    The Security Rule

    While HIPAA is the law that mandated certain regulations, it doesn’t contain them—it essentially ordered the Secretary of Health and Human Services to formulate the regulations. The result of that process is the Security Rule, which outlines who is covered by HIPAA, and what protections they must be provided.

    The Department of Health and Human Services states that the rule “applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.” Given the broadness of that definition, it’s good that the agency includes a tool to help organizations determine if they are required to comply with the rule. It’s important to note that even though your company may not be originating the information, you may still be required to comply with the law as a business associate.

    Protected Health Information

    The next critical concept in HIPAA is “protect health information.” HIPPA defines this as “individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” This includes information about the following:

    The individual’s past, present, or future physical or mental health or condition,
    The provision of health care to the individual, or
    The past, present, or future payment for the provision of health care to the individual.
    For the data to be protected, it must identify the individual or create a reasonable basis to believe that the individual could be identified from the data. Consequently, “deidentified” data, or “anonymized” data, isn’t required to have the same level of protection. It’s also important to recognize that while what most people would consider “health records” is covered by HIPAA, so are records related to payments for healthcare by an individual.

    General Rules

    Covered entities are required to do the following under HIPAA:

    Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
    Identify and protect against reasonably anticipated threats to the security or integrity of the information;
    Protect against reasonably anticipated, impermissible uses or disclosures; and
    Ensure compliance by their workforce.
    These requirements are where HIPAA compliance becomes very tricky relative to other data privacy laws. While ensuring confidentiality is a common requirement, reasonably anticipating threats to security or unauthorized disclosure is an uncommon and potentially difficult-to-satisfy requirement. What constitutes a threat that you should have “reasonably” anticipated? The flexibility in the language here allows for post-hoc analysis of your approach to security.

    If there ever is a leak or breach of your systems, then it’s hard to imagine a scenario in which a government agency ruled that you “reasonably” anticipated what occurred. Instead, the law’s vagueness means that companies can easily be held responsible when things go wrong, even if they took reasonable steps and the events that occurred were truly outside of their control.

    HIPAA Compliance Challenges


    The solution to HIPAA’s open-ended nature is for companies to focus on prevention and regular compliance actions. HIPAA requires risk analysis, or regular audits of your policies and procedures, and physical and digital security actions. The second largest fine ever imposed on a company under this law was for failure to conduct a thorough risk analysis that directly led to a massive breach. Consequently, covered entities must perform regular risk audits and analyses.

    However, the issue with this approach is that, no matter how many audits you run, you won’t find the things you aren’t looking for. Is one of your doctors snooping in patients’ files? It may sound farfetched, but UCLA Hospitals were fined for just that when one of their doctors accessed the files of celebrities and other patients whom he had never treated.

    Even innocuous-seeming actions can result in HIPAA violations. Imagine one of your front-office workers asks another to forward them a document because the system won’t give them access. Maybe they should have access to it, in which case the system is either too overzealous or not granular enough. Each request represents disruption and a loss of efficiency and could result in a huge strain on company resources. And sending a file like that might move it outside the audit logging process. Months or years later, an investigator may want to know how and why that file was sent, and you might not be able to bring the receipts.

    Or maybe they shouldn’t have access. Perhaps they’re about to leak it. But, in an environment where the system isn’t perfect, it’s hard for your staff always to do the most secure thing. If they previously had to work around the safeguards to get their job done, the trend will be towards more serious violations over time.

    How Mage Data Helps with HIPAA Compliance

    There’s a good chance your company already has a compliance system. But, if it’s slowing down your work or not giving you complete protection, then you’re not just getting reduced benefits; you might as well not be getting any at all. Mage’s solutions can replace or sit on top of your existing provider, allowing for near-real-time, comprehensive access logging. And it can increase your flexibility with dynamic data masking, where doctors, administrators, and financial staff can access the same file but only be allowed to see the information they need to do their job.

    With Mage data, you can have the security you need while ensuring that your employees can do their job unencumbered. Schedule a demo today to learn more about what Mage Data can do for you.

  • Data Security Challenges in Healthcare Industry

    Data Security Challenges in Healthcare Industry

    The healthcare industry is constantly innovating, and has made significant improvements in technology over the last couple of years to enhance patient treatment. For example, the use of AI has changed the game for hospitals around the world, helping physicians make smarter decisions at the point of care, improving the ease and accuracy of viewing patient scans and reducing physician burnout.1

    As more and more of the healthcare sector progress in a digital fashion, unfortunately, it becomes a tempting site of attack for cybercriminals. Just like any other industry, the healthcare industry has faced its share of Mega Data breaches, such as the breaches of Banner Health and Newkirk Products, where close to 4 million people were affected.2 But unlike other industries, the healthcare industry faces the highest data breach cost of $6.45 million. What’s even more alarming is that, at 329 days, it also has the highest duration for identifying and containing a breach.3

    Even with laws like the HIPAA which mandate strict standards and processes for the protection and confidential handling of PHI, compliance doesn’t ensure one hundred percent data security, and hence isn’t solely enough to protect hospitals from cybercrime.

    Challenges

    Let’s go through some of the major data security challenges faced by medical institutions:

    • Transfer of Electronic Health Records (EHRs)

    The Health Information Technology for Economic and Clinical Health (HITECH) Act encourages healthcare providers to adopt EHRs and Health Information Exchanges (HIEs) so doctors can easily share data with their patients. However, this network of limitless medical information between numerous providers serves as a hotspot for hackers if not protected properly.

    • Maintaining compliance

    The HITECH Act offers incentives for EHR and HIE adoption. Having said that, it also creates the responsibility of having to maintain compliance. For instance, healthcare providers are required to notify their patients if there’s a breach of their unsecured data. In addition, healthcare institutions also have to comply with laws like the HIPAA, and other data protection regulations like the GDPR or the CCPA, whichever applies to them.

    • Inability of end-user to protect medical information

    Apart from medical providers having to maintain compliance, the adoption of EHRs also poses a burden in terms of end user errors. Once the user accesses his medical data from the provider’s portal, the privacy of his records is also his responsibility. By sending unsecured data across to anyone else, the user opens up an easy link for hackers to get through. While healthcare organizations are bound by data security laws, the same cannot be said for users, who often as an oversight do not keep up with data security best practices.

    • The adoption of digital platforms to store, access and transfer data

    The digital progression is very evident as greater number of hospitals move their resources to the cloud and to mobile platforms. The COVID-19 pandemic has also fundamentally changed the face of care provision across the world. Telehealth adoption in the US, for instance, has grown around 3,000% since the start of the crisis, taking much of primary care to people’s homes rather than being necessarily tied to a doctor’s office or hospital.4

    • Inefficient IT infrastructure

    Nobody said running a hospital would be cost efficient. In an episode of one of my favourite TV shows (Grey’s Anatomy), the chief of the hospital decides to cut back on fundamental necessities for the hospital since that money went to expensive medical tech. Sadly, this is true for hospitals in the real world too. While spending adequate money for something like IT infrastructure may seem like a tough decision or unimportant considered to all the other crucial activities that go on in a healthcare organization, it is better than facing the cost of a data breach.

    • Evolution of technology vis a vis the threat landscape

    As the healthcare sector continues to offer life-critical services while working to improve treatment and patient care with new technologies, criminals and cyber threat actors look to exploit the vulnerabilities that are coupled with these changes. Apart from data breaches, the following are some of the sources of frustration for healthcare IT and cybersecurity specialists:5

    • Ransomware
    • DDoS attacks
    • Insider threats
    • Business email compromise
    • Fraud scams

    As healthcare institutions keep enhancing their technology, they’re incidentally open to cyber risk exposure. The COVID-19 outbreak has also not provided any relief in this matter. The INTERPOL Cybercrime Threat Response team findings have detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. 6

    Solutions

    Technology is largely the cause for cybercrime, but technology is also what is needed to thwart it. People and processes are not enough; organizations should implement the right technology in place to build a strong data security posture.

    • Monitor user activity for all actions performed on sensitive data in your enterprise.
    • Choose from different methods or select a combination of techniques such as encryption, tokenization, static, and Dynamic Data Masking to secure your data, whether it’s at rest, in use, or in motion. Before this step, sensitive data discovery is a must, because if you don’t know where your data is, how will you protect it?
    • Deploy consistent and flexible data security approaches that protect sensitive data in high-risk applications without compromising the application architecture.
    • Your data security platform should be scalable and well-integrated, which is consistent across all data sources and span both production and non-production environments.
    • Finally, ensure the technology you’re implementing is well-integrated with existing data protection tools for efficient compliance reporting and breach notifications.

    Conclusion

    Cybercrime is a menacing threat for any industry, but more so for the healthcare sector, given the high cost of data breaches and the long duration it takes to identify a breach. The outcome of information theft is too great a risk, especially due to the ethical commitment medical providers share with their patients. Building a robust data security platform should be a principal goal of any hospital.

    About Mage Data

    The Mage Data platform comprises a comprehensive solution that protects sensitive data along its lifecycle in the customer’s systems - providing capabilities from Sensitive Data Discovery, masking, and monitoring to data retirement. Engineered with unique, scalable architecture and built-in separation of duties, it delivers comprehensive, consistent, and reliable data and application security across various data sources (mainframe, relational databases, unstructured data, big data, on-premise, and cloud).

    How a leading healthcare company in the US is effectively handling data security

    A leading provider of hospital medicine and related facility-based services had an Oracle environment, storing information for more than 2,000 providers in 1,500 facilities. Due to the time required to manage the Oracle data masking tool that had been in place for two and a half years, they looked at the market for a data masking solution that would have ease of use and full automation.

    The organization noted several advantages to using the Mage Data Platform instead of Oracle DM, one of the main advantages being the time required to implement and run the software. Apart from a fully automated anonymization solution, the organization was also able to discover many hidden sensitive data locations with the Mage Data sensitive data discovery tool.
    Click here to read more: Mage Data Customer Success Stories

    References

    1 Cleveland Clinic Newsroom – Cleveland Clinic Unveils Top 10 medical Innovations for 2019
    2 Digital Guardian Data Insider – Top 10 Biggest Healthcare Data Breaches of All Time
    3 Ponemon Institute – Cost of a Data Breach Report, 2019
    4 Healthcare IT News – Digital transformation in the time of COVID-19
    5 Center for Internet Security (CIS) – Cyber Attacks: In the Healthcare Sector
    6 Forbes – Cyber Attacks Against Hospitals Have ‘Significantly Increased’ As Hackers Seek To Maximize Profits
    ss_entry-meta=”margin-top: -20px;” border_radii=”on|6px|6px|6px|6px” box_shadow_style=”preset1″ box_shadow_spread=”-6px”]