Why eliminating exposure is the best way to protect data
Protected health and personally identifiable information are all over the ecosystem, and providers must protect it from potential breaches.
You can't read a news feed these days without seeing an article about a healthcare data breach. To that end, there must be further discussion to see if a better way exists to handle healthcare data to ensure the integrity, security and privacy of health information.
The increasing prevalence of cyber breaches is creating costly consumer exposure, organizational stress, service disruptions and diminished trust across the healthcare ecosystem. As organizations strengthen their defenses against increasingly sophisticated vectors of attack, threat actors continue to respond to the new defenses, creating a relentless cycle of risk, exposure and response.
Having had a long career in healthcare technology, cybersecurity, digital and analytics, with C-suite roles at Anthem and Cigna, including serving as global chief information officer, I have a certain point of view on the best way to address these increasing risks.
Evolving data security
Data is the critical resource that fuels healthcare systems, and current practices to protect data aren’t sufficiently mitigating the risks.
Beginning in 2003 with HIPAA, followed by HITECH in 2009 and TEFCA in 2022, the regulatory environment continues to advance frameworks for the security and privacy of healthcare data. Along with these regulatory upgrades, important industry groups like HITRUST, DirectTrust and CAQH/CORE are advancing the state of security and privacy.
Recently, the U.S. Office for Civil Rights (OCR) proposed changes to strengthen cybersecurity protections for electronic protected health information. These updates are an important step forward, increasing the specificity of required controls to strengthen security standards. Many organizations already have incorporated these measures, but formal adoption by government agencies would make them mandatory industry wide.
These frameworks are essential for protecting healthcare data by providing a common baseline of access controls. However, they do not address the underlying root cause of data risks, threats and breaches — the very existence of retained and stored PHI/PII, which represents valuable currency for cyber criminals. In fact, health data is considered significantly more valuable than financial data on the dark web.
The PHI/PII ‘Catch-22’
The healthcare ecosystem remains complex and fragmented, with many touchpoints collecting, transmitting, processing and analyzing data.
The transmission of data between clinicians, intermediaries, vendors, payers and business associates exposes protected information to cyber risk with every step, even when they conform to government and industry requirements. It’s a Catch-22 — healthcare organizations need data for the effective provision of care and to run operations, but that same data contains PHI/PII, which is collected, transmitted and retained by an ever-growing ecosystem of intermediaries.
While PHI/PII is critical for creating actionable health insights, it also serves as a valuable target for cyber breaches.
Data breaches grow in number and sophistication
Since the well documented Change Healthcare data breach in February 2024, the scale of the damage to patients still is not fully known. Recent reports estimate that it affected 190 million people, making it the largest healthcare data breach in U.S. history.
Before this, the largest breach occurred in 2015, affecting nearly 79 million records. While these are the largest breaches, they are not isolated incidents. Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services, resulting in the exposure or impermissible disclosure of approximately 520 million healthcare records — more than 1.5 times the population of the United States.
During the last nine years, 815 million healthcare records have been exposed — a staggering total. Americans place a high value on the security and privacy of their healthcare information, as they should. With the advent of quantum computing and more sophisticated AI models, bad actors will have even more tools at their disposal to disrupt the healthcare system.
The remediation costs of healthcare data breaches have been the most expensive across industry categories for 14 years, 60 percent higher than the second most-affected industry, banking and finance.
Another source of concern is the availability and cost of securing cyber insurance. Cyber insurance premiums have increased dramatically, even for organizations without prior breaches. The trend is not sustainable.
Better data hygiene reduces exposure
The healthcare system benefits from a robust data infrastructure, but sensitive information can be compromised months or years after it’s collected. Every organization that transmits and retains data is a cyber target, even if they conform to all regulatory and compliance requirements.
Recent cyber events should serve as a wake-up call for healthcare organizations to rethink their approach to data risk management and to reassess ways to more effectively share data, specifically eliminating as much PHI/PII exposure as possible. One concern should be data retention and how it might boost vulnerability.
Healthcare providers, health plans and government agencies should know all the organizations that touch or retain data that transverses the healthcare system. It is likely to be in more places than they know.
While cyber-tooling and controls have gotten significantly better, the healthcare industry needs a simpler approach to managing risk; this requires a fundamental shift in how vendors, payers and providers view data.
Upgraded risk management measures are needed to address the complexity of modern healthcare challenges with protected information. The key is to de-risk healthcare data sharing and residency to lower an organization’s exposure to a potential breach.
Most experts agree that there are only two types of healthcare companies — those that have been hacked, and those that will be. Recent breaches have underscored the risks of excessive data retention, and the industry must learn from it.
These are not unique or isolated incidents. The best way to protect PHI is to eliminate unnecessary transmission, storage and retention, because data that is not at risk cannot be breached.
Dr. Mark Boxer, DHSc, DHA, is a nationally recognized authority on healthcare systems and data management. He has extensive experience leading global healthcare management organizations and serves on the boards of many healthcare and technology companies; he recently joined the board of directors at P-n-T Data Corp.