There is a tremendous amount of data within the healthcare and life sciences industries. According to RBC Capital Markets, the healthcare sector accounts for 30% of the world’s data and is forecasted to grow by a compound annual growth rate of 36% in the next two and half years.
The benefit is that healthcare professionals, organizations, and analysts can use this data to improve the quality, quantity, and accessibility of healthcare. But it also carries great risk. More organizations are using the cloud to store sensitive personal identifiable information (PII) and personal health information (PHI), adding pressure to ensure the data is secure and compliant. And the industry is increasingly targeted by bad actors stealing and exposing this sensitive data.
Keeping data safe yet accessible in the cloud is a delicate balancing act for today’s resource-stretched healthcare organizations, and it calls for a new approach to data access. A modern, automated need-to-know approach can streamline and secure data while allowing healthcare organizations the access they need to analyze it and provide the best care possible.
Pressure to Protect Data Amid Increasing Breaches
Healthcare organizations have huge cloud databases filled with detailed, personal information and they are struggling to secure access to these databases – making them a prime target for cybercriminals. Most organizations are using outdated access approaches that are manual and resource-intensive, yet they have barebones security and IT teams to manage it all. This creates an ideal environment for cyber criminals to hack into electronic medical records (EMR) and access sensitive data such as names, birth dates, and social security numbers.
Last year, nearly 50 million people in the U.S. had their sensitive health data breached, with hacking accounting for 75% of all data breaches within the industry. These breaches can cause widespread damage including lost and compromised medical records, regulatory fines and financial losses, identity theft, lawsuits, a loss of patient trust, and threats to slow down healthcare innovation.
As the breadth and wealth of data stored in the cloud grows and more employees are able to access it from anywhere, insider threats have also become a problem for the healthcare industry. A 2022 study conducted by Verizon found that employees were responsible for 39% of healthcare breaches last year, compared to 18% across all industries.
Healthcare organizations are under mounting pressure to ensure that the data is secure and compliant amid these rising threats. At the same time, this data needs to remain accessible to decision-makers so they can use it to optimize operations, drive innovation, and improve patient care. Protecting patient privacy while allowing access to data is challenging, but completely locking down access to data is not the answer.
Traditional Data Access Approaches Aren’t Adequate
Let’s face it – resources and budgets are stretched and most healthcare organizations don’t have the internal teams to properly monitor what data is accessed, by whom, and for what reason. But sensitive PII, PHI, and financial data cannot be left open to all employees regardless of their role or responsibility (known as a default-to-know or open-to-all data access approach). This is far too risky, as employees may expose sensitive data (either unknowingly or intentionally) and without proper access controls and tracking, compliance requirements will not be satisfied.
On the flip side, with a need-to-know approach, users are granted access based on what they need for their specific job role (e.g., human resources) and responsibility (e.g., North America or U.S. geography). This may seem like a no-brainer, however, it can be quite difficult to implement.
A need-to-know data access approach can be technically challenging to execute because it requires a lot of manual groundwork, buy-in from all data stakeholders, and dedicated internal resources. Once implemented, it also tends to be inefficient. Data access requests are sent manually to IT via support tickets or emails, which are routed to the data owners for approval. This process can take days from initial request to granting access, assuming a company even has the internal resources to keep track of it all. It drastically slows down innovation and growth and requires heavy manual reconciliation and report creation from data engineering and compliance teams.
As you can see, these data access strategies have their faults. And while a need-to-know approach is more secure and compliant, healthcare organizations need a better and more efficient way to implement it.
Implementing A Modern Data Access Approach
Implementing a modern need-to-know approach that isn’t bogged down by manual processes, custom scripts, and disparate tooling is possible.
Here are three tips that healthcare organizations can keep in mind to successfully move to a need-to-know approach and manage data access, minimize the risk of data breaches, ensure patient privacy, and comply with regulations:
Tip #1: You can accelerate and simplify need-to-know access with DataSecOps.
Healthcare organizations can move away from a risky open-to-all approach or a slow, manual need-to-know approach and implement an efficient and secure need-to-know access approach with DataSecOps.
DataSecOps, or Data Security Operations, provides a single, integrated platform to streamline and automate data access, security, and compliance. With this mindset, organizations treat security as an inherent part of data operations instead of an afterthought, integrating security at every phase of the data lifecycle and centralizing data governance.
DataSecOps accelerates and simplifies implementing need-to-know access by:
– Quickly identifying data that needs to be classified as “need to know,” setting access according to data types, and easily masking unneeded sensitive data.
– Reducing friction by monitoring the effect of restrictions prior to setting them and preventing data users from getting blocked from data they regularly use.
– More easily setting access and security policies across different data platforms without writing any code.
– Accelerating projects by streamlining fine-grained access controls like dynamic masking or row-level security.
Tip #2: You should be continuously discovering, classifying, and securing all your data.
The State of Data Security Operations Report 2022 found that only 28% of respondents have a process in place that continuously discovers sensitive data, and nearly half (44%) of the organizations that monitor sensitive data only do so quarterly or annually.
It’s critical to understand all data at all times, including the most sensitive data. Continuous data discovery and classification monitors every database query and result, classifies the data in motion, keeps a universal audit of data access, and builds a data inventory that is always up-to-date.
Modern tools can automatically discover and classify data into custom or predefined PII, PCI, and PHI categories and apply security policies as that data is being accessed. For example, with differential data masking, various teams will get different (redacted, hashed, or masked) versions of the data, across all data platforms, depending on their need-to-know role.
Tip #3: Your data governance plan should be comprehensive, yet agile.
Patient records, test results, billing information, drug prescriptions, and other sensitive medical and personal information are all examples of data in the healthcare profession. Medical professionals require healthcare data to make educated decisions about patient treatment. Data governance gives healthcare organizations a regulated and structured way to share medical data so that each patient receives the best possible treatment, and guarantees that the data is safe and secure, reliable, documented, and controlled.
But as healthcare organizations move to cloud-based data infrastructures, where data is constantly changed and accessed, they need to take a more agile approach to data governance. The key components of agile data governance include fine-grained access control, dynamic data masking, self-service access, data access auditing and monitoring, and continuous data discovery and classification. Adopting an agile data governance plan will support continuous data discovery and streamline and secure access to sensitive data.
Healthcare organizations face a number of challenges with cloud-based data governance such as tracking data that changes rapidly, continuously masking sensitive PHI and PII data, pinpointing data ownership, serving a large number of data users, and the complexity of keeping the data secure and compliant.
Implementing need-to-know data access controls using a unified DataSecOps approach can empower healthcare organizations to make more informed decisions, enhance compliance, reduce risk of breaches, and keep data highly accessible. And less time spent on ad-hoc or reactive access and security controls means healthcare leaders can focus on what’s most important – connecting with patients, building better business models, and improving care.
About Ben Herzberg
Ben Herzberg is the Chief Scientist at Satori Cyber, where he leads research in the world of DataSecOps. Satori is the developer of the first DataSecOps platform — a universal data access platform for cloud-based data stores and infrastructure, touting multiple out-of-the-box integrations with industry’s leading data stores, such as Snowflake, Amazon Redshift, Amazon Athena, Amazon Aurora and Azure SQL. Ben is an experienced leader in research and development, with experience as a CTO, VP R&D, developer, hacker and technical manager.