Aug 15 2016

Businesses, Hospitals Need Data Protection Tech to Prevent Costly Breaches

The case of Advocate Health Care Network’s exposure of 4 million patient records highlights the need for organizations to invest in data protection technology.

For businesses, hospitals and other organizations that store sensitive information about patients and customers, one of the most damaging events they can face is a data breach in which that data is exposed.

Such breaches can lead to fines for failing to comply with data protection regulations, damage to reputations and a loss of business. For some small businesses, depending on the scale of the breach, it may be catastrophic and force the business to close. That makes investing in data protection and data loss prevention technology and tools a wise decision for organizations that house troves of sensitive data.

No Organization Is Entirely Immune

Both large and small businesses need to ensure they are properly protecting customer information, including their Social Security numbers, credit card information and other personally identifiable information. Health-related information is particularly important to secure because the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to protect such data.

Earlier this month, Advocate Health Care Network, Illinois’ largest hospital chain, agreed to pay a $5.55 million fine levied by the federal government because it exposed about 4 million electronic patient records.

As the Chicago Tribune reports:

“In July 2013, four unencrypted laptops with personal health information were stolen from an administrative office in Park Ridge. Also that summer, an unauthorized third party accessed the network of an Advocate business associate, potentially compromising the information of more than 2,000 patients. Then in November, Advocate told the U.S. Department of Health and Human Services' Office for Civil Rights that an unencrypted laptop with personal information of more than 2,200 individuals was stolen from the vehicle of an Advocate Medical Group employee.”

According a statement from the U.S. Department of Health and Human Services, the fine against the hospital chain is the largest ever brought under HIPAA regulations, and is a result of the "extent and duration of the alleged noncompliance."

Advocate said in a statement that “protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities,” reports CIO.

“As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring,” Advocate said in the statement. “While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.”

According to HHS, Advocate’s breach of electronic protected health information (ePHI) exposed patient data that included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth.

Meanwhile, in the U.K., software firm Sage, which offers accounting, payroll and payments software for businesses, said in a statement that an “internal” login had been used to gain unauthorized access to the data of some of its British customers, according to a report from The Guardian.

The personal information of the employees of about 280 British companies were potentially exposed in the breach, BBC News reported.

The Need for Data Protection

According to the “2016 Cost of Data Breach Study,” published in June by IBM and the Ponemon Institute, the average total cost of a U.S. data breach was $7 million in the past year; $221 was the average cost per lost or stolen record. Those figures were up 7 percent and 2 percent, respectively, from the year before.

The report notes that there are several steps businesses can take to decrease the cost of data breaches. Those include having incident response plans and teams in place, extensive use of encryption, employee training, business continuity management tools and technology and, of course, data loss prevention (DLP) tools.

Data can be vulnerable when it is in use during everyday activities; when it is at rest and stored on devices, hard drives and servers; and when it is in motion while traveling through and between networks.

Network DLP tools, both software and hardware solutions, can be installed at network egress points to analyze network traffic and detect whether sensitive information is being sent in violation of information security policies. There are numerous other forms of data DLP technologies, but organizations should consider endpoint security to protect not just PCs and notebooks, but also smartphones, tablets and other mobile devices used by employees. Additionally, encryption technologies protect data whether it is at rest or in transit.

Ingram Publishing/ThinkStock

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.