The healthcare industry is struggling to protect against increasingly sophisticated cyberattacks. According to the HIPAA Journal, healthcare data breaches of 500+ records reached a new high in 2023 at 725 large security breaches.

One thing that’s common across all breaches is “Data” lockdown, exfiltration and/or encryption. Hence data protection is a top priority for all healthcare organizations that must protect patient data from malicious insiders, accidental data loss, and bad actors. In this blog, you will learn best practices and common challenges faced by Healthcare organizations.

Why is this important?

Privacy regulations describe sensitive information as any personal data or intellectual property - including trade secrets, patents, copyrights and trademarks, that could potentially cause harm, damage, embarrassment, or discrimination to an individual or organization if it is disclosed, accessed or used without authorization.

There are two ways to look at this Sensitive Information: Either one can protect them or let them loose. In an organization, it’s either Owner, Founder, CXO or Security Officer, who needs to make those decisions based on their ‘Risk Appetite’. Either way, the exposure of this sensitive information will COST your organization.

Challenges of securing your data landscape

Cloud and mobility initiatives have distributed sensitive data across cloud apps and devices, but traditional data protection approaches aren’t built to secure data across distributed channels.

48% percent of board directors rank cyber risk as a top enterprise risk. In fact, cyber risks are among the most costly risks facing organizations today, with the average cost of a data breach reaching $8.64 million last year.”

Source: Gartner - https://www.gartner.com/en/audit-risk/trends/emerging-risk-response-cybersecurity

Data protection challenges in healthcare

A day in the life of a Healthcare Security, Infrastructure & Data Protection team member includes a spectrum of activities:

Constant M&A practices
Managing complex network architecture
Lack of network segmentation
Pressure to serve up to skilled remote workforce
Operating within HIPAA compliance framework

Zscaler Data Protection provides a comprehensive, cloud-delivered platform built to safeguard all your sensitive data, everywhere. Delivery of data protection is attained through multiple dimensions, depending on what could be the source of data loss.

In this blog, we will focus on the 4 most common data sources that often times lead to a data exfiltration event or a data breach:

Secure Endpoint Data-At-Rest
Prevent Inline Data-In-Transit (Motion) loss to Web and BYOD
Secure SaaS Data-At-Rest with Out-of-band CASB
Secure Unmanaged User access to resources

Zscaler’s data protection journey starts with understanding the challenge

Scenario 1 → Secure Endpoint Data-at-rest

Every knowledge worker tends to use their organization's given device for personal work, be it to store and analyze personal financial or health related information. For example: A physician uploads 500+ PHI records onto their own personal cloud storage sync folders like Dropbox thick client on Windows PC.

Applications like Dropbox thick clients are “certificate pinned” to protect application code vulnerability.

Challenge:

1. TLS inspection measures will break the application access, leading to an unhappy user experience.

2. Web proxy or network DLP controls are blindsided, leading to data hoarding events.

Solution and Benefits:

Endpoint DLP policy provides the following benefits and allows you to:

Monitor, prevent, or block the leakage of sensitive data on endpoints (i.e., through printing, saving to removable storage, saving to network shares, or uploading to personal cloud storage accounts).
Use Zscaler custom and predefined DLP engines to detect and take action on sensitive data.
Monitor sensitive data and enforce endpoint DLP rules even when an endpoint doesn't have a network connection.

Top Use Cases:

Retire legacy endpoint DLP: Get rid of complicated point products and deliver data protection from one unified strategy
Stop exfiltration during employee resignation: Secure the employee attrition process by stopping sensitive data exfiltration to personal and removable storage
Boost data protection efficacy: Ensure your most sensitive data is properly tracked and consistently protected, no matter where or how it is accessed
Improve compliance: Ensure regulatory compliance is maintained for required data and file types across your entire organization

Scenario 2 → Prevent Inline Data-In-Transit (Motion) Loss to Web and Cloud Applications

Internet transactions with destinations like web URLs or cloud applications have been considered as a top threat vector based on cyber phishing practices and breach prediction results. Traditional approach with limited SSL inspection and proxy controls has little to no control on data exposure. Today, your users are constantly on the run, they might have left the network (campus), but that doesn’t have to mean your sensitive data will leave with them.

For example: A physician uploads 500+ PHI records onto their own personal cloud storage application or other destination over the web.

Challenge:

Minimal SSL/TLS inspection leads to blind spots.
Lack of proxy and inspection policy leads to data exfiltration.
Data being shared across different file formats, it becomes challenging to trace the activity.
Lack of investigation tools to minimize the exposure window.

Solution and Benefits:

By leveraging Zscaler’s Zero Trust Cloud,

Consistent data protection and full SSL inspection helps scan and monitor every byte inline, without capacity limits.
Inline DLP, inline CASB custom and pre-defined DLP engines will help detect and block PHI record files from leaving your assets at all times, following the user mindset.
Inline DLP enables you to protect sensitive data with advanced controls and granular policy, all while remaining in compliance with regulatory mandates.

Top Use Cases:

Better data protection: Get identical protection for all users and branches regardless of location
Complete visibility: Illuminate blind spots by inspecting all your SSL traffic, without capacity limits or costly appliances.
Elastic scale: Always enforce your policies inline with consistent performance
A fully integrated platform: Eliminate the need for architectural changes and maintenance of point products

Scenario 3 → Secure SaaS Data-At-Rest with Out-of-Band CASB

Healthcare professionals tend to collaborate PHI records (data-at-rest) within approved cloud storage like M365 or Dropbox, with internal and third-party medical professionals for research, opinion, or guidance.

Challenge:

As we know, traditional network and security architecture has been less effective when it comes to decrypting TLS traffic or gaining visibility into data-at-rest DLP violations.
With the influx of cloud applications, the use and abuse of free cloud storage has led to shadow IT challenges where the responsible custodians are informed after the event happens.
Sharing of sensitive data with third-party users can lead to sensitive data loss or noncompliance.

Solution and Benefits:

Restrict collaboration of PHI records based on “what data is shared with whom” (OOB CASB will help).

Granular data protection policies apply consistently across cloud apps to stop accidental or risky file shares and halt internal threats like intellectual property theft.
IT gets to regain control and visibility into data stored in approved cloud storage.
Historical scan allows investigation and incident management practices.
Complete threat protection with cloud sandboxing enables automatic remediation of zero-day malware.

Top Use Cases:

Identify sensitive data assets: DLP dictionaries identify sensitive data within SaaS and public clouds like AWS
Limit data sprawl: Collaboration control crawls apps for risky file shares and revokes them according to policy
Cloud sandboxing: Continuous scanning of data at rest to identify and respond to zero-day malware and ransomware
Platform approach: SSPM, CSPM, and CIEM help evaluate SaaS and IaaS configurations and permissions to remediate issues automatically

Scenario 4 → Secure Unmanaged User Access to Resources

Medical professionals expect to have access to data from anywhere, using any device without realizing the risk the threat or risk it brings to the business. This scenario is referred to as ‘Doctors Beyond Borders’. Since this group of professionals are revenue generators, IT (infrastructure team and application developers) willingly give them access to EMR or health records from Unmanaged or BYOD devices.

Challenge:

Typically these users are brought on the network by extending VPN which leads to increased attack surface.
Onboarding non-compliant devices has its own challenges which could lead to data leak or compromised devices.
Maintaining a list of unmanaged device databases, defining policies, and procedures and more importantly logging their activity adds up to more IT cost and complexity.
Uncontrolled sprawl of these device access can introduce boundless challenges associated with exposure of sensitive data.

Solution and Benefits:

Leveraging Zscaler’s browser access, isolation platform, and full proxy architecture, we can present a pixelated stream of the web application on the unmanaged device. Some of the key benefits include:

Enabling full productivity experience for unmanaged device access or BYOD users without security getting in the way.
Protecting healthcare assets from web-borne threats, no matter where healthcare professionals work from, while minimizing IT help desk tickets.
BYOD Users are never brought on the network via VPN.
Secure sensitive data with an agentless approach.

Top Use Cases:

Eliminate the risk of evasive web threats: Reap all the rewards of internet productivity with none of the risk.
Unburden IT teams and budgets: Spare IT from managing technology, policies, and procedures for unmanaged device or BYOD infrastructure. Unleash productivity for admins and users.
Drive your business, not breaches: Better protect sensitive data against accidental exposure or sharing with fine-grained data loss prevention controls like watermarking, prevent copy paste, local printing, and much more.
Boost productivity, even for BYOD: Give healthcare professionals, employees, contractors, and newly acquired teammates alike secure, agentless access to the applications they need, even on unmanaged/BYOD devices without the cost of VDI.

Most IT professionals within Healthcare would be able to relate with these four scenarios. It’s likely that you do recognize the need for this solution but have pending questions like the following which requires further dialogue:

What does an acceptable user policy for data protection look like within Healthcare?
How do we investigate or analyze data violations?
Who will take on the data custodian responsibility?
Would Zscaler have access to our data?

To summarize, it’s never late to engage and plan to deliver complete data protection with Zscaler

The Zscaler Zero Trust Exchange is a high-performance SSE cloud that delivers complete data protection by intelligently discovering and securing data across all data channels.

What customers say about Zscaler Data Protection

It’s always great to hear from our peers. Recently IDC, a research partner, interviewed Zscaler customers detail their considerations and the capabilities of Zscaler Data Protection that drove their purchase decisions:

Providing security for all types of employees and ensuring robust regulatory compliance: “We were looking for a solution to help protect our employees not just when they are in the office but when they are outside the office. We looked at Zscaler Data Protection to be able to protect both in the office and outside the office. Another key piece is that Zscaler Data Protection catches any credit card information or PII (personally identifiable information) information being sent out.”

Selection based on features and capabilities: “When we chose Zscaler Data Protection, it was based on the features and capabilities of the tool, for example, the SSL inspection—not just blocking the site but also basically inspects the traffic and offers geography blocking.”

Enhanced capabilities that reduce risk exposure: “Zscaler Data Protection brings capabilities that [our previous solution] didn’t have. Our off-network policy set can be the same as on-network with Zscaler and we couldn’t do that with [our previous solution]. If we had stayed with our [previous solution], we would have had greater risk exposure.”

A cloud-based solution meeting the needs of a growing and distributed business: “We have a very distributed workforce, and having a cloud-based solution with Zscaler Data Protection allows us to ensure we’re protecting employees regardless of where they are in the world. Our big driver with Zscaler Data Protection is consolidation of data assets.”

Source:IDC https://www.zscaler.com/resources/industry-reports/idc-zscaler-cloud-data-protection.pdf?_gl=1*1yoimtg*_ga*MTMxMTQ1MTIwNC4xNzE0NDExNzE4*_ga_10SPJ4YJL9*MTcxNTI4NTI1Mi4yMS4xLjE3MTUyODY1MjUuMTAuMC4w

Summary

This week Zscaler announced new AI innovations to power the industry’s more comprehensive data protection platform including new data security posture management (DSPM), inline email protection and GenAI security advancements to safeguard data-in-motion and data-at-rest across all exfiltration channels. The full press release can be read here.

Please reach out to your Zscaler Account team to learn more about our solution and platforms. To learn more, please follow this link.