The Importance Of Data Loss Prevention Software In The Healthcare Industry

By Author: Lauren Ellis
Total Articles: 35
Comment this article

In the age of electronic health records that help providers record and share the healthcare data of their patients, a growing concern continues to be the security of personal patient information. Not protecting patient information can be disastrous. Yet the question remains, how can healthcare administrators and providers be effective in securing patient information?

While the Forrester study found that of 2,134 IT professionals in healthcare surveyed, 59% found it important to add security layers to protect information stored and shared on laptops, smart phones, or tablets via strong Data Loss Prevention Software, the survey also reported that 39% of security breaches in healthcare were directly related to lost or stolen equipment. Chris Sherman, head analyst for the project told the Wall Street Journal, “Endpoint data security must be a top priority in order to close this faucet of sensitive data.”

Sherman went on to warn that leaders in the healthcare industry haven’t done enough to secure credit card data, social security data, and other sensitive patient information, known collectively as PHI, or “protected ...
... health information.” The unscrupulous can use such information to create false credentials including licenses and credit cards and then sell the information for upwards of $500.00 from the right buyers. One solution, says Sherman, is to make encryption practices better and to store information on more secure, cloud-based formats rather than storing sensitive information on specific devices, as once the device itself is comprised, so is all of that highly valuable information.

Providers and administrators also need to beware of pretenses that can too well emulate corporate or organizational communications, impersonation of authorized users to gain login credentials—or worse, physical theft of devices. Some signs security problems can include slow network connections, or problems signing into a server or system, and should be made known to all technology users within an organization.

Users should also understand that security compromising attempts are evolving on a moment-by-moment basis and that what works to secure information in their organizations today, may not work tomorrow. Human monitoring is key, and having hands-on experts to watch for changes in classic indicators, like failed login attempts or more than usual traffic at non-peak hours, can as valuable as the best Data Loss Prevention Software.

Just as important as detecting security problems in any system is a plan to handle to fallout should a breach occur. Containing a breach is imperative. Affected hardware may need to be quarantined from the network or further observed to ascertain the gravity of the breach. Reports should be made to affected consumers and regulating agencies in a timely manner, and a corporation’s legal counsel should be apprised of the incident as soon as possible, as well as kept in-the-loop about connected activity. Malicious software must be removed so that operations can be maintained and a new security strategy--along with communication to affected individuals about that strategy-- is likely in order.

It seems that even the Department of Health and Human Services supports Sherman’s recommendations. In the Department’s 11 steps for securing health mobile data, 2012, the HHS promotes the use of high quality passwords and advises that mobile devices used to store data use an FIPS 140-2-level or better encryption process. (More about the National Institute of Standards and Technology’s recommendations concerning cryptographic module implementation can be found here.) The document may be useful for organizations that are searching for a comprehensive plan for detection and response for Data Loss Prevention in the healthcare industry. Covered in this guide are recommendations for cryptographic module specification; securing interfaces and ports; authentication; physical and virtual security; environmental guidelines for operations and support; security key administration; EMI/EMC; best self-testing practices; quality of design and guarantees; and keeping attacks to a minimum.

The bottom line is that organizations within the healthcare industry must find better ways to secure information via mobile Data Loss Prevention, creating better device integrity, and utilizing high-quality device tracking. At a minimum, healthcare organizations must begin to encrypt devices at a foundational level to ensure a tighter rein on security problems and must set into play real, comprehensive solutions when investing in and implementing data loss prevention software.

Author:
Lauren Ellis is a research analyst covering the technology industry’s top trends & topics, focusing on Cloud Security, Cloud Computing, Data Loss Prevention Software etc.,