Martin Sugden, CEO of Bolden James, explains why healthcare organisations need to ensure that all healthcare data receives adequate protection
Only a few short weeks ago the World Health Organisation declared COVID-19 a pandemic, causing huge impact on people’s lives, families and communities. The healthcare sector is right on the front line battling to overcome the virus and protect patients’ lives. At such times things are anything but “business as usual” and it can be difficult to focus beyond the immediate requirements of supporting patient-facing workers and research teams looking into developing tests, treatments and vaccines. However, data protection still matters: there is a critical necessity to focus on data protection in order to keep patient information, essential research and systems safe and operational.
Last year the DDMCS report “Cyber Security Breaches Survey 2019” highlighted that 67% of UK healthcare organisations had experienced some kind of cyber security incident and the introduction of the EU GDPR back in May 2018 means that these organisations are taking measures to secure their data or face being fined up to €20 million, or 4% of their global turnover.
As with anything, the monetary loss of a data breach is only the tip of the iceberg. What follows a fine for a breach of regulatory compliance is a hugely damaged reputation – as patients ask if their identities have been stolen – and the potentially crippling loss of revenue-making IP and trade secrets.
Unlocking the Value of Data
While the threat of data loss from outside the organisation is significant, many data breaches come not from cybercriminals or state-sponsored actors, but from the inadvertent actions of employees themselves. Data protection is not the primary focus of the majority of healthcare sector employees, and nor should it be when they are trying to focus on life-saving care or research, but this means they need support in order to keep data safe.
Data classification offers an increasingly elegant way to mitigate unintended data leakage and it can also aid compliance with regulations such as GDPR, HIPAA, CCPA and more.
Not only this, data classification extends the value and efficacy of your wider data security and governance ecosystem, adding new levels of intelligence to data loss prevention and data archiving solutions. All of which drives greater levels of return across data protection investments.
Ultimately though, data classification allows data security controls, rules and policies to be more easily and consistently enforced. It’s the process of applying clear, consistent electronic markings to any type of file or document (for example ‘commercial in confidence’, ‘internal only’ and ‘public’), then allowing it to be saved or sent only in accordance with that marking. This takes the burden away from employees, so they can focus on their core role, and gives greater control and assurance to the organisation.
It’s simple, unobtrusive and builds a culture of security awareness that doesn’t just protect your people, it enhances productivity and improves business performance.
There are 5 steps we look at when implementing effective data protection:
Step 1: Identify Your Crown Jewels
Using data classification as part of a strategy to secure data assets is sometimes referred to as “locking up the crown jewels”. But data security neither starts nor ends with the act of controlling access to information. Nor should a security policy be limited to protecting only the most valuable data; even less critical information can damage the business if it’s lost or leaked at the wrong time.
First, you need to build a strong foundation of knowledge around your data, to understand exactly what you hold and the potential risks to its security. This process begins with identifying the types of data that are of greatest importance to the business, so you can pinpoint where you need to focus protection and controls.
A helpful way of determining the value of a piece of information – and the risks to be managed – is to think about the impact if it was leaked or lost. Would it harm the organisation, for example, by damaging the brand, incurring a fine from the regulators (for breaching the EU GDPR, for example) or eroding competitive advantage? If it got into the public domain, would it expose patients, partners or suppliers? Would it put an employee’s security or privacy at risk? Would you be breaching a contract?
Once you’ve defined the data that is most at risk, you can start to find out where your sensitive data is located.
Step 2: Discover Before You Defend
By classifying data according to its value or sensitivity, organisations can reduce the risk of security breaches by ensuring that appropriate protections are implemented and consistently enforced. Having identified your ‘crown jewels’, and other data that needs safeguarding, it’s time to carry out a discovery exercise to find out exactly what you’ve got, where it is and who might have access to it.
Unknown data makes you vulnerable to attack. The best thought-out security policy is ineffective if you’re not certain what you hold and, therefore, what controls you need to put on it. Data governance, compliance with regulations such as the GDPR and HIPAA and – just as importantly – demonstrating said compliance are also impossible when you don’t know where key documents reside and who has access to them. A discovery exercise will give you visibility of your data and how it’s being accessed and used. This enables the protection strategy and solutions to be built around the types of data you have.
Data discovery tools and software provide an efficient and accurate way to find assets you can then classify. They examine file stores and databases, scanning for certain types of information, key words, criteria and classification metadata. This enables you to see what your data is, its location, and who has access. Once you’ve defined the data within your organisation, you’ll be able to home in on the most valuable and confidential information and make accurate decisions about how it should be handled, and who is allowed to access which files.
Step 3: Classify Your Data
A corporate data security policy that sets out how valuable information should be handled will be ineffective unless it’s consistently and accurately enforced. Organisations often have a written policy that’s available on their company intranet and handed to new starters. In practice, however, employees are rarely sure how to apply it to their daily activities.
The security policy needs to be made actionable – and the best way of doing this is with the classification of data. Data classification is the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings, and also embedded into the metadata of the file. When classification is applied in association with downstream security solutions, the metadata ensures that the data can only be accessed or used in accordance with the rules that correspond with its label.
Step 4: Secure Your Data
Data that is classified according to its sensitivity instantly has a layer of protection surrounding it. The next task is to put in place the higher-grade controls – in the form of enterprise security and information management solutions – that will safeguard it when it’s accessed or used later. By classifying first, you have added the ‘magic ingredient’ that makes these solutions more effective: the metadata sitting in the properties of each document, message or file.
The embedding of the label as metadata supports the consistent enforcement of data security policies by directing the actions of downstream solutions – triggering automatic rules that correspond to the label the data has been given. This means the technology makes more accurate ‘decisions’, reducing the false positives that slow business down and minimising the risk of data being exposed because it isn’t recognised as sensitive. It also supports governance, compliance and data management efficiencies.
Solutions that become more effective when combined with data classification include:
Data Loss Prevention (DLP) Solutions
These will shield the business against intentional and accidental data loss by, for example, blocking employees from uploading a file marked ‘Confidential’ to Dropbox, or stopping a file containing credit card numbers from being emailed to a third party.
These automatically encrypt any file marked ‘Confidential’.
Enabling employees to rapidly locate information and understand instantly how it can be used.
Security Incident and Event Monitoring (SIEM) Tools
These pick up on potentially risky user behaviour before a breach occurs – flagging up, for example, if someone keeps copying sensitive documents to a storage device. Concerns can then be addressed through training or strengthening of policy.
Search and Retrieval Tools
Making it easier to keep an audit trail and quickly find documents needed to prove compliance with industry standards, or to meet information requests from regulators.
Access Control Tools
These use classification labels to dictate who can access a file in a shared area.
Data Governance Tools
The label enables these to audit who is accessing sensitive information, and who might be violating policy, keeping a detailed audit trail of any risky behaviour or activities. This also supports the demonstration of compliance.
When you’ve marked what’s valuable, you can more clearly see what isn’t important or needed, and therefore what can be archived or deleted. Retention rules can also be set for different classifications – for instance, ‘keep this type of file for 10 years’ or ‘expire after 6 months’ – perhaps for files which should not be held for legal reasons.
Step 5: Measure and Evolve
If you have followed the first four steps (Identify, Discover, Classify and Secure), you’ll have successfully secured the organisation’s valuable and confidential information by using data classification and downstream toolsets to enforce the security policy. It’s not ‘job done’ yet, however.
Legislation, threats (external and internal) and the business itself will constantly evolve, while demands from regulators and the board for better governance will intensify. Ongoing measurement of the effectiveness of your security policy is the only way to check that the controls you’ve put in place remain fit for purpose.
The monitoring of classification activities is a powerful way of doing this. Monitoring and reporting tools track how data is being accessed, used and classified, and provide visibility to the business via structured audit data and analytics. This improves the chances that a breach will be quickly detected – helping the business to comply with notification periods required by regulators, as well as to minimise damage.
More importantly, real-time monitoring of how people use classification tools will allow any behaviour that deviates from ‘normal activity’ to be identified and addressed before a breach occurs. This could include flagging up a user who repeatedly labels documents incorrectly, and therefore might represent an insider threat. The clear audit trail of activity also enables compliance with legislation to be measured and demonstrated to government and industry regulators, many of which have strict auditing and reporting requirements.
Ongoing monitoring builds an organisation-wide picture of how effective the security policy is – a picture which can be shared with the board – along with an understanding of how to improve it.
Effective data classification and monitoring of an organisation’s data security posture comes into its own in times of crisis, when for many employees data protection is the last thing on their minds. It provides the assurance organisations such as those in the healthcare sector need to operate under pressure and do the critical job they need to accomplish, while keeping vital data secure.