From personal data and health records to bank account information, health insurance providers collect a vast amount of highly sensitive information about their customers. As a consequence, they have become an attractive target for cybercriminals, but are also plagued by employees that fail to handle sensitive data with care.
According to the Cost of a Data Breach report 2020 released by IBM and the Ponemon Institute, healthcare has been incurring the highest average data breach costs for ten years in a row, reaching $7.13 million/breach in 2020. Human error contributes a great deal to this figure, being responsible for 27% of data breaches in the health sector, one of the highest percentages across all industries. It also takes health organizations 329 days on average to identify and contain a data breach, the longest of all industries.
With healthcare information heavily regulated under laws such as the Health Insurance Portability and Accountability Act (HIPAA), health insurance providers must step up and protect the sensitive data they collect and process or risk heavy fines and reputational damage. Data Loss Prevention (DLP) solutions have become a key part of their efforts to curb data leaks and data theft.
Why Health Insurance Providers Have Turned to Data Loss Prevention
The main reason health insurance providers choose to adopt DLP solutions is to protect against insider threats. While conventional cybersecurity measures such as firewalls and antivirus software can protect sensitive information against cyberattacks, employees need access to it to perform their duties.
Limiting access to sensitive data can help reduce insider data leaks and security incidents, but it does not eliminate them. It also has a reduced impact in an industry like health where many employees need access to sensitive information to complete their tasks.
DLP tools protect sensitive data directly rather than the systems where the data is stored. Once sensitive information is defined based on custom or predefined profiles, companies can control and monitor it both in and outside of the work environment. This has been particularly relevant during the COVID-19 pandemic and as more and more companies shift to hybrid work in its wake.
Blocking sensitive data transfers
DLP solutions allow employees access to sensitive data but prevent them from transferring files containing it through insecure channels such as messaging apps, cloud or file-sharing services, and personal emails. They also stop them from using features such as copy-paste or print screens to save sensitive data.
Another common exit point for sensitive information is removable devices such as USB flash drives. While they are considered a useful tool in the workplace, they have long been a thorn in the side of cybersecurity teams. Easy to misplace or steal and oftentimes completely unsecured, USBs, in particular, are one of the most frequent offenders when it comes to data leaks.
DLP technology can block transfers via removable devices such as USBs, external drives, or mobile phones by restricting the use of peripheral and USB ports and Bluetooth. Companies can choose whether to eliminate their use completely or make exceptions for company-issued devices deemed secure. Devices can also be assigned various levels of trust and access.
Identifying and monitoring sensitive data
DLP solutions help health insurance providers to monitor and log the movements of sensitive data, helping them gain a new level of awareness of how data is used and how it travels within the company network. This can help health insurance providers identify vulnerabilities in data movements and problematic practices among employees.
Through content inspection and contextual scanning, DLP tools not only discover where data is stored locally on employee hard drives but also allow admins to take remediation actions such as encryption or deletion when it is found in unauthorized locations, limiting the risk of data loss. By logging every attempted policy violation, DLP solutions like Endpoint Protector help companies discover which employees might require data security training or where new policies might be needed.