By Ben Bulpett, SailPoint
Experts believe that Britain’s patient records could be worth £10bn a year in better health and economic outcomes. But how do you protect your patient data when the data won’t sit still? Many UK healthcare trusts still run on paper records. Those that are fully digitised may still face issues. Sensitive information will regularly find its way into spreadsheets, slides and other ‘unstructured’ files, living outside of central databases. This is not unusual and in fact, is continuously happening as people, and even bots, run nightly reports or copy and paste data for various reasons. There’s also the regular routine of scanning and digitising hard-copy documents. These activities create a sea of unstructured data. And if left unmanaged, healthcare trusts would not only be unable to fully benefit from the wealth of patient data they possess. They could also run the huge risk of exposing sensitive information.
So, how can you prevent losing control of your patient data? Let’s start by looking at six ways in which data can be exposed. And where identity can become a safeguard for an organisation’s digital health.
- Ignore Open Access – Open data repositories such as folders are a natural spot for highly sensitive information to accumulate. They are easy to use, easy to share, and are a natural target for automated processes that have to share data. The longer these data files exist, the more uses people find for them. All of this leads to the first oversight—not looking in places where you are likely to find exposed sensitive data, such as spreadsheets with all imaginable passwords. With identity, organisations will know who has access to what and when, so that open access risks can be eliminated.
- Never check user’s access paths – An employee has changed roles. You take away their access privileges by removing the individual from the group with access. This doesn’t changed or revoke their ability to reach the information they shouldn’t’ be privy to. It can result in scenarios where someone in an admin role has total access to all patient treatment data, when all they need is a patient’s name, sex, date of birth, and address. This leads to the second common oversight—assuming there is only one way to gain access. Providing a visual map of all possible user has access points allows you to manage staff’s access paths with confidence.
- Manually review all activities – When there is lot of data that is accessed on a regular basis, how do you keep an eye on what happens to it? Without using identity information and common sense to filter out regular traffic, examining every activity – including whether the data has been copied or modified – becomes impossible. This means high-risk activities will go unchecked or only be discovered long after the activity occurred. Simply trying to manage this process manually creates another blind spot in your cybersecurity program. With identity, you can let sophisticated technology take control of the mundane access tasks, allowing staff to focus their efforts on high-value jobs and cyber security mitigation strategies.
- Treat all folders equally – A folder containing weekly patient food menus and another that contains patient drug and dosage details, do not represent the same risk level if the information was to become public. Yet, many organisations treat all folders equally. This means that governance time and money is not always focused and prioritised where it will have the most impact. Classifying the type of data located on file folders, identifying open access material and prioritising efforts around content with the highest levels of activity, is key to avoid the fourth mistake – treating every folder the same. By utilising an identity strategy, organisations can make informed decisions on the types of files and folders – including financial and patient data – that require higher security policies.
- Make IT review all of the access – Who better to review IT security than IT? After all, no one else has the time. That may not be how all healthcare organisations feel or think, but it is how some act. Typically, it’s the non-IT teams that possess the contextual knowledge of users, the data stored and the location of sensitive information. Yet, more often than not, the burden of protecting sensitive data falls on IT and security teams. Not distributing the review effort across IT and non-IT staff in your healthcare organisation is common and can lead to decision-making which does not fully account for contextual factors. By adopting identity, you will know and control who within the business has access and therefore would be better placed to manage and review access. Protecting data is an organisation requirement.
- Use as many different tools as possible to enforce your governance rules – We could say that Security is all about layers, which is true when using tools that do different jobs. However, when organisations govern different cloud vendors with different tools and then add even more tools for on-premise storage, NAS and SharePoint, the results are painful. Not only does this inconsistent approach lead to security gaps that attackers can exploit, it also makes it difficult to respond to changes and new operational directives. Over-diversification of tools can, somewhat counterintuitively, lead to vulnerabilities. But with an integrated identity strategy, you can manage all your users, contractors, applications, structured and unstructured data from one platform.
According to Gartner, an estimated 80% of the world’s data is unstructured. And 1 in 4 users will save sensitive data to cloud apps or share it with someone else. With these statistical challenges, incorporating identity into your cybersecurity strategy will ensure that your patient data is protected, as well as being fully compliant with GDPR (UK DPA 2018). This will help support Healthcare Trusts drastically reduce their risk of exposing sensitive information. By adopting identity to secure patient data, healthcare trusts will be able to future proof their estates by knowing who has access to what, how they are using that access and should they have that access.