Those can include office staff, nurses, interns, doctors, specialists, lab technicians, pharmacists, billing staff, insurance processors and more. Beyond that, medical records come in multiple forms — lab test results to X-rays, prescription labels etc.
"So, when you combine the number of people involved with handling multiple forms of PHI records, along with the immaturity of the data security systems and practices that are in place, there are so many opportunities for mistakes or intentional breaches to take place," Mattsson said.
Does that mean better training is the only path to better security?
Lieberman is dubious. "I'm not a big believer in security awareness training as an effective security countermeasure," he said. "But having clear, one-page policies and enforcing them with employees, starting with the CEO, is an important piece of privacy protection."
Berger said it comes down to the type of training. "We don't simply recommend cafeteria-style or even web-based training courses," he said. "Real situational training is far more effective. We recommend running mock phishing attacks, also known as social engineering testing. It is important to run them regularly over time, to establish benchmarks on which you can then measure improvements."
Delmar said she believes it requires both training and enforcement. "Improving human security really starts with policies and awareness training and ends with enforcement of appropriate risk-based controls," she said.
And experts agree that "control of the data" can help mitigate the human weakness risk.
"Understand who needs certain information, when, and under which circumstances," said Deena Coffman, CEO of IDT911 Consulting.
Mattsson offered a list of measures organizations can take, including:
- Fine-grained de-identification of both PII (Personally Identifiable Information) and PHI.
- Fine-grained tokenization of PHI, to alleviate the need for plain-text data and exposure in-memory across the entire data flow.
- Strong credentials, including password improvement and rotation, plus separation of duties to prevent privileged users, such as database administrators or system administrators, from accessing sensitive data.
- Secure the data to the point that it is useless to a potential thief. "Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization," he said.
However it is done, better security is crucial because the stakes are high. Besides potential fines for violations of the Health Insurance Portability and Accountability Act (HIPAA), Berger notes that the costs of a breach can include, "remediation, legal fees, reputational harm, and potential class-action liability."
There is general support among experts for strict regulatory oversight — Lieberman said he thinks it ought to be, "enforced with random pop site visits with zero tolerance for infringement."
And Delmar said stiff penalties for noncompliance, "can help get the attention of executives to see the value of making investments in security and risk management programs and monitoring systems."
Sign up for Computerworld eNewsletters.