By: Daniel Sergile
It has been a few months since the CapitalOne breach came to light – an eternity in news cycles, but no time at all in the realm of cybersecurity advancement. As the general public moves on from the breach, a few takeaways and key learnings clarify with time.
The first takeaway: Publicized data breaches underscore the importance of health data security
The information we store and transmit in the healthcare industry is intensely personal, private data. Yet, the practices by which we interact with data remain lagging. More than ever before, our health data is shared, connected, aggregated and studied.
As more companies, apps, scientists and universities discover ways to use our health data to improve lives, the more often that information transmits to the cloud. The more our health information lives in the cloud, the more we must do to secure it.
Second: We must ensure the basics
Most breaches are avoidable by implementing the primary measures of data security. Updated patches. Limited roles and logins. IP restrictions. Encryption. Well-vetted partners and vendors. By ensuring data security is up to date and up to code, four out of every five data breaches can be avoided.
There is a severe cost to failing, too. The CapitalOne breach, for example, affected the records of nearly 106 million people. The company could be on the hook for costs approaching the $1.4 billion that Equifax says its own breach cost the organization.
The concern healthcare organizations should have is what the cost of a breach might be for medical records, which hold the same sort of private, personal information as banking records. IBM’s 2019 Cost of a Data Breach Report suggests that the average breach in the U.S. costs $8.19 million, or $320.23 in costs per record breached. At a scale comparable to the CapitalOne breach, the financial liability of a breached healthcare organization could tally into the billions.
Few organizations in healthcare could sustain such losses to cybersecurity malfeasance, making it imperative for all health data to be fundamentally secure at all times.
Third: We must address how serious it is to store data forever
Many companies have too much data on hand. With CapitalOne, regulations dictate that financial institutions retain seven years of customer banking data. However, the hack showed that CapitalOne held onto much more than that. Not only did the breach leak 14 years of customer data, but it also leaked applicant data, including the unencrypted social security numbers of individuals rejected from credit.
Executives and data scientists alike will say keep all the data, forever—it’s worth its weight in gold. As customers leave, we can look back at their historical data in search of what might be done to bring them back. Businesses hold onto data in the hopes that it may someday help to clarify something previously undefined. Oftentimes that something never happens, and the data is held at a risk that outweighs its ultimate value.
Healthcare, though, is in an even trickier spot where unified medical records hold far more value than any one record alone—more value than a year’s worth of records, or even seven.
What if, through unified medical records, a research organization was able to identify symptoms of a disease that begins at birth and does not manifest until far later in life? What if that information led to breakthroughs in treatment and pharmaceutical development? How can health data organizations balance their need for a lifetime’s worth of health data against the incredible risk of storing such volume? The answer is to ensure, at all costs and times, the security of that data.
Healthcare is in the midst of a data revolution. Countless terabytes of data are generated, transmitted and accumulated in the form of medical records; the transformative potential of our health data can reshape population health, government and life sciences organizations, drug companies, hospitals and the lives of those in need. However, before we can become better clinicians, scientists and doctors through the strength of our intelligence, we must first ensure that we are taking lessons from other industries, so that we can be the best stewards of sensitive health data that we can possibly be.
Daniel Sergile is Deputy CISO for Ciox.