Guest post by Michelle Blackmer, director of marketing, Healthcare, Informatica.
The volume of protected health information (PHI) in electronic form is exploding – both from the wholesale move from paper charts to electronic health records for capturing clinical data and with the proliferation of new sources of electronic data from networked medical devices. Additionally, IT staff have been overwhelmed by regulatory mandates, rampant technology changes (e.g., virtualization, BYOD, big data), massive application projects and flat or decreasing budgets.
This increase in electronic PHI combined with the challenges for health systems IT make it even more important for providers and non-providers to find efficient ways to secure their data. However, with malicious activity showing a consistent upward trend, absent a change to an almost maniacal leadership focus on protecting patient data and the deployment of available tools and processes as an organizational imperative, 2014 will bring even more frequent and larger breaches of PHI.
Current data security climate
Even still, many healthcare organizations are not taking the necessary steps to reduce the proliferation of unprotected PHI in non-production test and development environments. Ninety-four percent of respondents to the third annual Ponemon Institute Benchmark Survey on Patient Privacy and Data Security had at least one data breach in the past two years, and 45 percent reported having had more than five total incidents each. Even more surprising is that the leading cause for a breach is a lost or stolen computing device that houses PHI. The survey also found that:
- Unrestricted database administrator (DBA) access heightens risk: 73 percent of DBAs can view all data.
- Data compromise/theft remains rampant: 50 percent of respondents say data has been compromised or stolen by a malicious insider such as a privileged user.
- Organizations are under-coping: 68 percent have difficulty restricting user access to sensitive data, 66 percent have difficulty complying with privacy/data protection regulations and 55 percent lack confidence that they would even detect data theft/loss from their own production environments.
With the rapid introduction of applications and dramatic increase in department-level IT spend, copies of production data are multiplying exponentially, and each copy further increases the risk of a data privacy breach. In many cases, users are transferring production data to their mobile devices for testing purposes. Unfortunately, this puts the organization at greater risk of a data breach.
Using data masking to secure end-user devices
Given that each data breach costs approximately $5.5 million and does immeasurable damage to an organization’s reputation, protecting against data breaches requires process, leadership and technology. Fortunately, data masking technologies can support the masking and sub-setting of production data before it is moved to a user’s device, which means the user can test anytime, anywhere, without the risk of a data privacy breach.
Data masking alters data to obfuscate the original values, essentially making the sourced information anonymous while not impacting the application functionality. Data masking is offered in two forms – static and dynamic data masking. Static (or persistent) data masking permanently and irreversibly changes data values while preserving the original characteristics and patterns. This technique is commonly used in non-production environments for testing and training purposes. Dynamic data masking changes the value that is presented to the user during the request while leaving the original values untouched. This latter approach is commonly used to protect sensitive data in production. Authorized users see the original values, while unauthorized users see masked values. In both cases, data masking can be deployed without the need to customize the application or write any code.
Healthcare organizations can apply data masking to implement a set of best practices to help ensure data privacy:
1) Discover sensitive data throughout the enterprise, including production support environments used during development and training.
3) Define consistent data masking policies with data types and mitigation policies independent of the application or technology platform.
4) Implement data masking techniques across production and non-production environments to prevent potential privacy breach.
5) Validate that data is protected through automated validation and audit reporting.
While the risk of data breaches is still on the rise, new technologies offer a solution to the endless PHI that needs to be secured. By implementing data masking, lost devices or malicious activity need not result in a breach that could cost millions to the organization. What technologies is your organization utilizing to ensure patient data privacy?
Julie Lockner, vice president of product marketing, Information Lifecycle Management, Informatica, also contributed to this piece.