Data Breaches of Protected Health Information Will Get More Frequent in 2014

Michelle Blackmer

Guest post by Michelle Blackmer, director of marketing, Healthcare, Informatica.

The volume of protected health information (PHI) in electronic form is exploding – both from the wholesale move from paper charts to electronic health records for capturing clinical data and with the proliferation of new sources of electronic data from networked medical devices. Additionally, IT staff have been overwhelmed by regulatory mandates, rampant technology changes (e.g., virtualization, BYOD, big data), massive application projects and flat or decreasing budgets.

This increase in electronic PHI combined with the challenges for health systems IT make it even more important for providers and non-providers to find efficient ways to secure their data. However, with malicious activity showing a consistent upward trend, absent a change to an almost maniacal leadership focus on protecting patient data and the deployment of available tools and processes as an organizational imperative, 2014 will bring even more frequent and larger breaches of PHI.

Current data security climate

Even still, many healthcare organizations are not taking the necessary steps to reduce the proliferation of unprotected PHI in non-production test and development environments. Ninety-four percent of respondents to the third annual Ponemon Institute Benchmark Survey on Patient Privacy and Data Security had at least one data breach in the past two years, and 45 percent reported having had more than five total incidents each. Even more surprising is that the leading cause for a breach is a lost or stolen computing device that houses PHI.  The survey also found that:

With the rapid introduction of applications and dramatic increase in department-level IT spend, copies of production data are multiplying exponentially, and each copy further increases the risk of a data privacy breach. In many cases, users are transferring production data to their mobile devices for testing purposes. Unfortunately, this puts the organization at greater risk of a data breach.

Using data masking to secure end-user devices

Given that each data breach costs approximately $5.5 million and does immeasurable damage to an organization’s reputation, protecting against data breaches requires process, leadership and technology. Fortunately, data masking technologies can support the masking and sub-setting of production data before it is moved to a user’s device, which means the user can test anytime, anywhere, without the risk of a data privacy breach.

Data masking alters data to obfuscate the original values, essentially making the sourced information anonymous while not impacting the application functionality. Data masking is offered in two forms – static and dynamic data masking. Static (or persistent) data masking permanently and irreversibly changes data values while preserving the original characteristics and patterns. This technique is commonly used in non-production environments for testing and training purposes. Dynamic data masking changes the value that is presented to the user during the request while leaving the original values untouched. This latter approach is commonly used to protect sensitive data in production. Authorized users see the original values, while unauthorized users see masked values. In both cases, data masking can be deployed without the need to customize the application or write any code.

Healthcare organizations can apply data masking to implement a set of best practices to help ensure data privacy:

1)      Discover sensitive data throughout the enterprise, including production support environments used during development and training.

2)      Simplify and centralize data privacy policy definition in such a way that enables  reuse.

3)      Define consistent data masking policies with data types and mitigation policies independent of the application or technology platform.

4)      Implement data masking techniques across production and non-production environments to prevent potential privacy breach.

5)      Validate that data is protected through automated validation and audit reporting.

While the risk of data breaches is still on the rise, new technologies offer a solution to the endless PHI that needs to be secured. By implementing data masking, lost devices or malicious activity need not result in a breach that could cost millions to the organization. What technologies is your organization utilizing to ensure patient data privacy?

Julie Lockner, vice president of product marketing, Information Lifecycle Management, Informatica, also contributed to this piece.

One comment on “Data Breaches of Protected Health Information Will Get More Frequent in 2014”

Very interesting article. I think we’ll be seeing more and more breaches over the next few years. They may not be as simple as they have been in the past with improved systems and encryption but any lapse in proactive and aggressive protection will create gaps and risks.

Write a Comment

Your email address will not be published. Required fields are marked *