The bar for security in Healthcare IT is so high it takes Olympic-class efforts to clear it. Securing data is the most critical hurdle. So where is your most sensitive data? In files, of course. And it is these files that fly about like seagulls at the
fishing pier. There are, however, three keys to healthcare IT that can help reduce your risk.
In the case of healthcare, these files can contain Protected Health Information (PHI), which if not fully protected not only exposes this sensitive data to harm by bad actors, but opens your company up to expensive and embarrassing HIPAA fines and actions. This data MUST be protected and SHOULD be encrypted at rest AND in transit.
The Staggering Cost of Healthcare Breaches
Healthcare breaches, at $9.23 million per incident, are the most expensive of any industry, according to an IBM/Ponemon analysis, and reported on in a Beckers Hospital Review blog. Meanwhile, “Nearly half (44 percent) of the breaches analyzed in the report exposed customer personal data, including healthcare information, names, emails and passwords,” IBM found.
It takes on average 287 days to discover, identify and contain a health care data breach. “Data breaches that took longer than 200 days to identify and contain cost on average $4.87 million, compared to $3.61 million for breaches that took less than 200 days. Overall, it took an average of 287 days to identify and contain a data breach, seven days longer than in the previous report. To put this in perspective, if a breach occurring on January 1 took 287 days to identify and contain, the breach wouldn’t be contained until October 14th. The average time to identify and contain varied widely depending on the type of data breach, attack vector, factors such as the use of security AI and automation, and cloud modernization stage,” the IBM/Ponemon report found.
Aside from breaches, HIPAA is obviously the fundamental issue healthcare IT and security professionals face today. Of course, there are the fines we just mentioned, but more than that healthcare organizations want to protect patient privacy. It is the right thing to do and good for business.
Key issues for HIPAA compliance include:
- Authentication, which means verifying that users are who they say they are.
- Access control, meaning no access is allowed to data without proper authorization.
- Transmission security, meaning that data transmissions between parties are encrypted and should be both at rest and in transit.
- Integrity, meaning that PHI is not modified without permission or detection.
- Audit control, which involves having a complete audit trail providing total visibility into file transfers.
These issues can be addressed by ensuring that data is encrypted during transmission, that changes to files are detected and that the audit trail shows everything that happened to a file during the movement process.
No Trust Without Zero Trust (and Least Privilege Access)
Many, but not all IT professionals are familiar with the concept of Zero Trust. There's a bit of irony to the term as Zero Trust means that the best way to protect all your data and assets is to trust absolutely nothing — until areas of network are proven trustworthy. The idea is to work with each element of your entire environment step-by-step to protect and secure each.
The Zero Trust Architecture was invented by then Forrester analyst John Kindervag in 2010. “Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access,” explained CSO magazine.
Files are sometimes forgotten in this effort, but should be FIRST and FOREMOST when it comes to zero trust. Your files need a high level of protection and no one should be trusted to access them without explicit permission and authentic authentication.
Microsoft, a key Zero Trust proponent, defines it this way. “Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to ‘never trust, always verify.’ Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time,” Microsoft explained.
One key to Zero Trust is strong identity management and protection, largely through authentication which should be applied across the environment.
This speaks to the issue of least privilege access which is part of Zero Trust. The concept of least privilege access is to limit user rights to only what is absolutely needed. In the case of files, only those who need to touch, transfer or receive a file should be able to do so.
File Transfer Questions You Should Answer
Is your legacy file transfer solution doing the job? Here are some questions from our 7 File Transfer Challenges of Healthcare IT Teams eBook to get to the root of the issue:
- Has there been a significant increase in the sheer volume of confidential patient files your systems are handling? How about the complexity of the files?
- Is the challenge compounded by the use of cumbersome scripts?
- Even though your tasks may be “automated” batch jobs, is the scripting for file transfer job creation and execution proving to be time consuming and error-prone? How about meeting Patient Health Information (PHI) logging requirements?
- Do you have difficulty determining when a file was transferred, where it went and if it even got there? Do you sometimes have to spend hours or days searching?
- At times, is the scheduling of file transfer jobs a monumental challenge (for example, manually rescheduling every job when a password changes)?
- Do your end-users sometimes circumvent IT and use unauthorized file transfer solutions that put confidential claims data, pharmacy records and patient information at risk?
- Given these everyday challenges, do you feel you’re already playing “catch up” when it comes to implementing the measures that are be required by landmark legislation such as the Affordable Care Act?
Secure File Transfer Benefits Reach Far Beyond Safety
From healthcare billing to insurance-eligibility inquiries and HCAHPS surveys, the business of healthcare depends on the reliable, secure and compliant transfer of Protected Health Information (PHI). The MOVEit suite of Secure File Transfer products assures encryption of data at rest and in motion, delivery to the intended recipient and detailed audit logs. MOVEit provides the features and deployment flexibility required to meet HIPAA and GDPR compliance.
According to the MOVEit Cloud Healthcare Data Sheet, “The secure, efficient movement of files between healthcare organizations and their business partners accelerates the delivery of care, expedites the determination of payment eligibility, and streamlines other core business functions.”
MOVEit can safely, securely and even automatically transfer these types of files:
- Patient appointment reminders
- Medical reports
- Big data, e.g. medical images
- Billing and payment data
- Regulatory compliance reports
- Compliance reports
- Claims submissions
Three Ways Managed File Transfer Helps Healthcare
Safer Easier Service Provider Onboarding
Profitable growth of your healthcare network requires on-boarding new healthcare service providers cost-effectively. Scalable IT operations are an essential ingredient for success. MOVEit provides the ideal business service platform to support profitable expansion and the accelerated roll-out of competitive new services such as appointment reminders and patient retrieval of medical records.
Automate Billing/Payment Processing
Automate your medical billing process and ensure 837 health care claims and 835 electronic remittance advice (ERA) notifications are securely delivered within the time frames required by SLAs and in compliance with HIPAA.
Automate Patient Survey Processing
Automate the transfer of patient discharge records to survey agencies to ensure that all patient discharge information is securely delivered for appropriate processing and patient surveys are conducted on a regular basis.
Case Study in Point: VIVA Health
VIVA Health, which insures the health of over 100,000 people, struggled with the transfer of files using complex and problem-prone DOS scripts. The answer? Automating file transfers using MOVEit, as our Viva Health Case Study points out “Scheduling jobs was a bear,” says Ryan Kramer, VIVA Health’s Manager of Information Systems. “If a password changed, we had to manually reschedule every job. Tasks broke down pretty regularly, so they had to be monitored very closely. Focusing on something this mundane was distracting and time-consuming, and often kept us from working on tasks that were ultimately of higher value.”
Automating with MOVEit Automation is paying big dividends for VIVA Health. “We estimate that MOVEit is saving us the equivalent of two full-time equivalents (FTEs). We had one employee who was transferring to another department. With MOVEit, I was able to automate 75% of the work he had been doing, so we saved 75% of one man-year on his part alone. Plus, our PCs are no longer tied up on these tasks,” said Automation Engineer Ragan McBride.
The MOVEit Managed File Transfer Solution
Moving files securely in the Healthcare space is mission-critical as these files usually contain personal sensitive information, and organizations deal with strict policies governing patient privacy.
The secure, efficient movement of files between healthcare organizations and their business partners accelerates the delivery of care, expedites the determination of payment eligibility and streamlines other core business functions.
MOVEit Healthcare Benefits
- Increased Productivity: employees can easily share files of any size or type with internal & external users
- Ease of Compliance Reporting: for regulations & standards such as GDPR, PCI, HIPAA, HITECH, etc.
- Reduced Risk of Data Loss: increased visibility, control, security & auditability of your data transfers
Going to HIMSS? See MOVEit in Action and Enter to Win a Onewheel!
The Healthcare Information and Management Systems Society (HIMSS) 2021 conference is happening in Las Vegas in-person August 9-13.
Nothing in this document constitutes legal advice. The reader should consult with legal counsel regarding its legal and/or compliance obligations. Progress makes no representation or warranty regarding the completeness or accuracy of the information contained herein.