How data minimization can help healthcare providers withstand a cyberattack

This article was inspired by our webinar, Lessons from the Medicare breach: Why data minimization matters. Watch the on-demand replay to get the full story about what went wrong at Medibank and learn about other high-profile breaches across the globe affecting healthcare companies.

‍

In recent years, the healthcare industry has become an increasingly attractive target for cybercriminals. High-profile data breaches, like the Medibank incident in Australia, have highlighted the vulnerability of sensitive medical information and the urgent need for robust data protection measures across the industry. Of course, the growing trend of attacks on healthcare-adjacent organizations is not limited to Australia – noteworthy attacks are happening around the world.  

An alarming uptick in healthcare data breaches

During the past several years, the healthcare sector has witnessed a sharp increase in data breaches, while the number of people affected has jumped exponentially. In the US alone, more than 45 million people were affected by healthcare data breaches in 2021. This number grew to 51 million in 2022, then skyrocketed to 133 million in 2023. Numbers like these underscore the rapid escalation of the problem – and the urgent need for action.

In France, a recent attack on two health insurers, Viamedis and Almerys, exposed more than 33 million people’s PII – almost half the country's population. According to the insurers, leaked information included names, dates of birth, insurer details, social security numbers, marital status, and civil status. The CNIL is currently investigating the case, which could result in sizeable fines for the company because of the multitude of potential GDPR violations involved.  

Why healthcare is a prime target

Several factors make healthcare organizations attractive targets to cybercriminals:

1. High-value data: Healthcare databases contain especially sensitive personal information, including medical histories, sensitive diagnoses, and financial details This kind of data is highly valued on the black market by cybercriminals who want to use it to commit identity fraud, fraudulent billing, or medical identity theft.

2. Ransom potential: The critical nature of healthcare data means organizations are more likely to pay ransoms to regain access to their systems and protect patient information.
   
   In February of 2024, UnitedHealth fell victim to a cyber attack that affected as many as 1 in 3 Americans. While attempting to stop the attack, the company disconnected some of the systems that allowed affiliated doctors to fill prescriptions. Ultimately, UnitedHealth attempted to stop the attackers from releasing the data by paying a $22 million ransom, an enticing figure that may only serve to embolden would-be attackers.  

3. Interconnected systems: The healthcare ecosystem is highly interconnected, with data shared between hospitals, pharmacies, insurance companies, and other providers. This web of connections can lead to widespread exposure if even one entity's defenses are compromised.

4. Rapid digital transformation: The healthcare industry's hasty implementation of digital solutions, especially during the COVID-19 pandemic, has sometimes led to inadequate security considerations, creating more potential attack surfaces.

5. Regulatory lag: While financial services have stringent data regulations, the healthcare industry often lags in meeting similar data protection obligations, leaving a significant gap in patient and consumer protection. While regulations including FISMA in the US and CPS 234 in Australia set specific standards for the treatment of financial data, healthcare data doesn’t typically carry such specific protections.  

The consequences of data breaches

The impact of healthcare data breaches extends far beyond financial losses and reputational damage. In the most severe cases, these breaches can have life-threatening consequences. A study from the University of Minnesota's School of Public Health estimated that between 42 to 62 patients in the US have died as a direct result of data breaches. This shocking statistic highlights the critical importance of responsible data management practices in healthcare.

Additionally, the effects of a data breach can be surprisingly long-lasting. Once personal health information is leaked, it can be challenging for people to reclaim their data, which can lead to ongoing issues including identity theft, fraudulent medical claims, and even difficulties in getting credit or employment.

The role of data minimization

As healthcare organizations grapple with these challenges, a key strategy for mitigating risk is data minimization. This approach involves reducing the amount of data collected and stored to only what is necessary for operational, legal, or regulatory purposes.  

By minimizing data, organizations can reduce their attack surface and limit the potential damage in case of a breach.

Challenges in implementing data minimization

While data minimization might sound like an obvious data management practice, putting it into action can be a different story. Many organizations have a culture of collecting and retaining data "just in case" it might be needed in the future, leading to over-retention and increasing risk. Changing this mindset requires a shift in organizational culture and practices.

In addition, a belief that more data = better customer experiences persists in some organizations, leading to further over-collection and over-retention. Successful companies can strike the right balance between customer convenience and safe data management practices. For example, organizations can take a privacy-first approach by keeping records of verification events without retaining sensitive information like driver's license numbers.

Four key elements to protecting healthcare data:

1. Data inventory: Organizations need to understand what data they have and how it's being used. This level of oversight is a crucial first step for effective protection.

2. Proactive data lifecycle management: Implementing robust policies for data retention and disposal ensures that data is kept only as long as necessary and disposed of securely when no longer needed – this is data minimization.  

3. Access controls: Implementing strict access controls ensures that only authorized users can view or modify sensitive data. This step also limits the information that threat actors can access if they’re using stolen credentials to access business systems.

4. Multi-factor authentication: Adding an extra layer of security through multi-factor authentication can significantly reduce the risk of unauthorized access.

The way forward

As cyber attacks on healthcare organizations continue to rise, it's clear that a multi-pronged approach to data protection is essential. This includes:

1. Strengthening cybersecurity measures: While it’s an important consideration, cybersecurity alone is not enough – it must be complemented by robust data management practices.

2. Implementing data minimization: Organizations should regularly evaluate their data collection and retention practices, and take proactive steps to only keep what is necessary.

3. Regulatory compliance: As new privacy laws and regulations emerge, healthcare organizations must stay informed and compliant with evolving requirements and considerations.  

4. Cultural shift: For some organizations, a cultural shift is in order, with privacy and data protection becoming core values from the board level down.

5. Continuous monitoring and improvement: Regular audits and assessments of data practices can help organizations stay ahead of emerging threats.

As healthcare organizations around the world continue to be prime targets for cybercriminals, the importance of responsible data management practices cannot be overstated.  

By adopting strategies like data minimization and fostering a culture of data responsibility, the healthcare industry can better protect sensitive information and, ultimately, patient lives.  

A unified solution

By managing data from all sources in one place, you gain better control and visibility over your data estate, empowering you to take action in line with the methods outlined above.  

Take a quick tour of the RecordPoint platform to see if it’s the right solution for your organization.  

‍