Zettaset Blog

Why Healthcare Data Protection Needs to Include Encryption

healthcare data protection

Since the government has implemented more regulations enforcing the privacy and protection of healthcare records, the healthcare industry has been forced to more fully address healthcare data protection and security. Although regulations do not specifically require data encryption, many healthcare organizations are using it to secure protected health information (PHI) and stay ahead of future requirements.Healthcare organizations can no longer rely on perimeter security approaches like firewalls to provide the hardened security required to protect their data storage environments and thwart today’s sophisticated attackers.

Data encryption has now become an essential element in a layered approach to data security.  It offers more robust protection from cyber-criminals by encoding data in such a way that only authorized parties can access it. Encryption does not itself prevent interference from an attacker. Instead, it denies the intelligible content to a would-be interceptor who does not possess the necessary key to de-encrypt the data. Put simply, even if an attacker physically steals a server with encrypted data, the data on that server remains completely undecipherable without the encryption key.

Healthcare Organizations Have Become Major Targets for Cyber Attacks

Enhancing healthcare data protection through the use of encryption has become increasingly necessary. Hackers have learned to target providers, like hospitals and clinics, and payers, like plan managers and insurance companies. Between 2015 and 2016, healthcare cybersecurity attacks increased by 320 percent. Most of the breaches in 2016 were the result of hackers who wanted to access private information that they could use to commit identity theft and health insurance fraud.

Even more troubling, attackers have increased their focus on healthcare data breaches in 2017. As of August, the healthcare sector had reported 233 breaches. That puts 2017 on pace to finish the year by breaking 2016’s one-breach-per-day record.

Data breaches in healthcare aren’t always attempts to steal information. Some cyber-criminals use ransomware to make quick money from hospitals that desperately need to access information so they can treat patients properly. The ransomware attack WannaCry took down 48 hospitals in the United Kingdom. Attackers demanded $300 in Bitcoin before it would release the files. That $300 in Bitcoin was worth about $540,000 at the time.

Not surprisingly, hospitals are willing to pay the ransom so they can treat their patients. The alternative is to delay patient care, which could cause serious harm. Hackers are keenly aware that hospitals are the perfect targets for ransomware because losing data put lives in danger.

Anyone who doubts the importance of healthcare data protection should consider that 88 percent of all ransomware attacks in the U.S. focus on the healthcare industry. Without stringent healthcare data security precautions, the problem will only get worse.

What Do Criminals Do With Healthcare Information?

When cybercriminals don’t use ransomware, they often steal information so they can sell it on dark web. Once they have access to patient data, criminals use the information to:

  • Commit identity theft and health insurance fraud.
  • Expose private information to the public.
  • Damage a person’s reputation.
  • Cause personal distress.
  • Use compromised accounts as gateways to breach networks.

The price of medical records has fallen in the wake of several large-scale data breaches. At times, cybercriminals may earn as much as $350 by selling stolen information on the dark web. Currently, hackers usually make about $100 per stolen file. In such a volatile marketplace, though, values could skyrocket at any time, giving criminals more reasons to attack healthcare organizations.

The message is clear: Poor data governance in healthcare puts individuals and companies in jeopardy.

HIPAA Has Unwritten Rules Organizations Should Follow

Currently, HIPAA doesn’t explicitly require healthcare organizations to use data encryption. It does, however, ask organizations to consider “what encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI (electronic protected health information) by persons or software programs that have not been granted access rights.”

HIPAA requirements aside, many experts believe that healthcare data encryption has become a necessity. Without encryption, data simply becomes too easy for criminals to steal.

Preventing Security Breaches Costs Less Than Fixing Them

Healthcare data protection may sound like an expensive pursuit, but it costs less money to prevent a breach than to fix one. On average, a data breach will cost an organization $7.35 million. This number does not even include the additional costs of lawsuits, loss of brand value and reaching out to affected patients to inform them of the situation.

On top of these potential expenses, the organization may have to pay a fine to HIPAA. The average HIPAA settlement fine comes to about $1.1 million.

When you look at the average global cost of a data breach, companies lose about $141 per stolen record. In the healthcare industry, though, the average cost soars to $380 per stolen record. When a breach affects thousands of people, the consequences become quite expensive.

You can’t be too careful when it comes to securing PHI. Given the potential losses caused by a healthcare data breach, it makes sense to take a layered approach to data security and invest in encryption to bolster your existing data protection solutions.

Only encryption actually protects data by making it completely undecipherable to anyone without proper authorization. Hackers can break through firewalls and intrusion protection systems to gain access to the data center.  But once they encounter an encrypted server, they’ll come to a dead stop.

With the right technology, highly targeted industries like healthcare can protect themselves from data breaches without spending excessive amounts of money.

Zettaset can provide the technology you need. Learn more about why you should trust Zettaset for your healthcare data encryption. By choosing the right solution provider, you can save money in the longterm, protect your patients, and avoid the hassles that come after a data breach.

Our Resources
Solution Briefs
White Papers
Application Briefs