Blog Post
Protecting electronic personal health information: The role of data discovery in modern healthcare
Healthcare providers are entrusted with the most intimate details of a person’s life, in the form of their medical records and electronic personal health information (ePHI). With this trust comes the immense responsibility of protecting that data from the ever-growing threat of cyberattacks, data breaches and ransomware.
The sector is among the most targeted by cybercriminals, alongside financial services, as it handles vast quantities of the most valuable data for identity theft, fraud and phishing attacks — sensitive personal data and personal health information.
Data discovery solutions offer healthcare providers a lifeline, enabling the identification of this sensitive information and providing capabilities to secure and manage this data effectively.
In this article, we’ll investigate why healthcare is so heavily targeted by cybercriminals and the impact when a data breach occurs. We’ll consider the regulations governing data protection, privacy and security in healthcare. We’ll explain how data discovery can support health service providers in reducing their risk of cyber-attack and data breach, and in achieving and maintaining compliance with their regulatory obligations.
Unseen scars: The impact of healthcare data breaches
In the last 15 years, healthcare records have become digitized. While digital health records have improved accessibility and efficiency in healthcare delivery, the move to electronic records has opened the floodgates to a surge in data breaches.
In 2023, more than 725 data breaches were reported to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), exposing more than 133 million health records. These figures exclude breaches resulting in the exposure of fewer than 500 records.
Meanwhile, in Australia, the latest OAIC notifiable data breach publication reports health service providers as the leading source of breach notifications, accounting for 22% of all reported incidents.
Over the last several years, healthcare providers have become primary targets for ransomware incidents. One study reported a 60% increase in ransomware attacks on the sector in 2023 compared to the previous year.
Ransomware typically enters organizations via exposed system vulnerabilities or disguised within phishing emails and rapidly proliferates through the network encrypting and exfiltrating the data it finds. The perpetrators then request a ransom, promising to decrypt the data once it is paid.
The repercussions of these incidents extend far beyond the initial shock and violation of privacy. For the individuals affected, the consequences can be life-altering. The exposure of sensitive health information can lead to identity theft, financial fraud and even blackmail. The psychological impact is profound, as patients grapple with the betrayal of their confidentiality and the anxiety of their medical histories being laid bare for exploitation.
Meanwhile, disruption to healthcare services due to cyber-attacks can have dire consequences for patient care, leading to delayed diagnosis and treatment for some patients — and in the worst cases, literally a matter of life and death.
In addition to the potential human cost of healthcare data breaches, health service providers also face significant financial losses, with the average cost of a data breach soaring to $10.1 million in 2023.
The protection of patient information is not just a technical issue, but one fundamental to patient care. For this reason, the sector is among the most heavily regulated, subject to strict data protection and privacy laws as well as industry-specific regulations.
Safeguarding the sanctity of health data
The protection and privacy of personal and sensitive health information are governed by a complex tapestry of laws and regulations that healthcare providers and their suppliers must navigate to ensure the confidentiality and security of electronic health records.
In the US, the Health Insurance Portability and Accountability Act (HIPAA), which establishes national standards for the security and privacy of health data. The Privacy Rule within HIPAA mandates safeguards to protect the privacy of personal health information and sets limits on its usage and disclosure without patient consent. The Security Rule establishes a national standard for protecting electronic protected health information (ePHI) under the legislation. While HIPAA supersedes state laws, aspects of data privacy that apply to personal information that are not addressed by HIPAA apply under state privacy laws such as the CCPA and VCDPA.
Elsewhere, health information is generally included as part of national data protection and privacy legislation. Under these laws, health information is often classified as a special category of data requiring additional protections to ensure its confidentiality and security.
In the UK, the Data Protection Act 2018 enshrines the principles of the General Data Protection Regulation (GDPR) into domestic law, controlling how personal information is used by organizations, businesses or the government. Healthcare providers must adhere to these stringent rules, particularly when handling health data, which is considered a special category of sensitive personal data. The upcoming Data Protection and Digital Information Bill, currently progressing through the House of Lords, introduces further obligations on healthcare providers and their suppliers aiming to strengthen the protections in place for health data.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) sets the standard for how private sector organizations collect, use and disclose personal information in commercial activities, including health data. Additionally, provinces like Alberta, British Columbia and Quebec have their own privacy laws that align with or exceed PIPEDA’s requirements.
Like the UK and Canada, Australia and New Zealand include health data within the provisions of their national data protection laws. The My Health Records Act 2012 in Australia and the Health Information Privacy Code 2020 in New Zealand further regulate the management of digital health records across both public and private sectors.
Empowering healthcare privacy and cybersecurity with data discovery
Healthcare relies on a comprehensive and detailed understanding of its patients’ needs and the protection of sensitive patient information is paramount. With cyber-threats evolving at an alarming rate, healthcare providers need robust tools that can not only detect but also manage and govern data effectively.
This is where data discovery tools like Enterprise Recon come into play — data discovery scanning ensures you have the data awareness you need to manage and secure sensitive personal information and electronic personal health information with confidence.
Ground Labs’ advanced data discovery solutions have been created to ease the data management burden and help streamline privacy management and data security while supporting legal and regulatory compliance.
Cybersecurity in healthcare is not just about responding to threats; it’s about proactively identifying and mitigating potential vulnerabilities. Data discovery tools like Enterprise Recon provide healthcare organizations with the ability to scan their entire digital estate for sensitive data, including Personally Identifiable Information (PII) and electronic Protected Health Information (ePHI). This ensures healthcare providers can pinpoint exactly where their sensitive data resides, enabling them to implement targeted security measures and reduce the attack surface for potential cyber-threats.
Advanced data discovery tools also facilitate enhanced data risk management, offering risk scoring and labeling features that help prioritize data according to its sensitivity. As well as allowing healthcare organizations to focus their efforts on the most critical data, these capabilities enable more effective cybersecurity control including data loss prevention, incident response and investigation, and access management.
A step towards a more secure healthcare future
As healthcare providers continue to digitize their operations, the need for effective data discovery, risk management and governance solutions becomes increasingly critical. Tools like Enterprise Recon are at the forefront of this transformation, offering healthcare organizations the capabilities they need to protect patient data, comply with regulations and ultimately deliver safer, more reliable care.
Request your complimentary Data Risk Assessment today, and find out more about how Enterprise Recon can help secure your ePHI with one of our experts by booking a call at a time that suits you.