Beyond HIPAA: The Role of DSPM in Protecting Patient Data


By adopting a data-centric cybersecurity strategy using DSPM, organizations will be able to ensure they maintain the confidentiality and integrity of their records and help protect sensitive patient health information.

Healthcare organizations are a prime target for cyber attacks, as they house a significant amount of sensitive, personal data. This data is ripe for extortion and misuse. Over 590 healthcare organizations reported data breaches in 2022, impacting more than 48.6 million individuals. Unlike other data that can be changed, like credit card numbers or passport information, health information is often indelible and linked to the user for decades or even permanently. While there are compliance and regulatory practices in place, like HIPAA, that require protected health information (PHI) to be secured, healthcare organizations have a wider responsibility to address other areas of data security and governance weaknesses.

By incorporating data security posture management (DSPM) tools into their strategy, healthcare entities can better govern and secure this private data, including improved compliance with regulations. DSPM offers organizations a way to gain visibility into where their data is stored, who can access it, and what they are doing with it, as well as monitor for credential compromise and unusual access attempts and activity. By adopting a data-centric cybersecurity strategy using DSPM, organizations will be able to ensure they maintain the confidentiality and integrity of their records and help protect sensitive patient health information.

While HIPAA security rules can be used as guidelines for informing a security strategy, these should only be a starting point for healthcare organizations. For example, HIPAA requires that organizations implement policies that maintain electronic protected health information (ePHI) to ensure that only authorized individuals or software programs have access to sensitive data. As we’ve seen through the rise in insider threats, this requirement is not adequate to protect that sensitive data. Least privilege, where users are given only the minimum level of permissions necessary to do their tasks, is more restrictive and provides stronger protection. Least privilege is widely considered a security best practice. DSPM solutions can help organizations implement least privilege to reduce the risk of data breaches by reducing or monitoring unused permissions quickly. This will provide an additional layer of protection for patients’ electronic health records so that organizations can better maintain their HIPAA compliance.

Furthermore, while HIPAA does include some guidelines around multi-factor authentication (MFA), it does not explicitly mandate its use. This also exposes healthcare organizations to the risks of unauthorized access and data breaches, as relying on basic authentication methods such as passwords or pins can be easily compromised. Phishing-resistant MFA can help reduce the frequency of successful attacks, and DSPM solutions can prioritize the implementation of MFA and other access controls to help ensure that only authorized individuals can access sensitive data. Deploying MFA results in unauthorized access attempts being identified and caught faster, reducing future incidents in which patient data is potentially compromised.

See also: Developing A Voice Assistant for Healthcare? Don’t Forget the HIPAA-cractic Oath

Enhanced protection using DSPM

Maintaining the integrity and security of healthcare data has serious implications for patient care and treatment. Healthcare organizations can no longer simply rely on compliance with regulations like HIPAA to address all the potential data risks. Instead, healthcare organizations must be proactive in implementing data security measures and strategies rather than just focusing on meeting regulatory requirements. Going above and beyond HIPAA’s security requirements by implementing a DSPM strategy allows organizations to not only exceed minimum protection levels but also begin to address the data issues of the healthcare industry as a whole. If the industry has any hope of successfully combating data breaches and protecting patients’ PHI, it must make some critical adjustments to its security standards and strategies to ensure that data is stored appropriately. DSPM is a key step in the right direction to make this possible, as it can apply a zero trust, least privilege approach to an organization’s structure and prevent security incidents before they occur.

Claude Mandy

About Claude Mandy

Claude Mandy is Chief Evangelist for Data Security at Symmetry Systems, where he focuses on innovation, industry engagement, and leads efforts to evolve how modern data security is viewed and used in the industry. Prior to Symmetry, he spent three years at Gartner as a senior director, analyst covering a variety of topics across security, risk management, and privacy, focusing primarily on what are the building blocks of successful programs, including strategy, governance, staffing/talent management and organizational design and communication. He brings firsthand experience in building information security, risk management, and privacy advisory programs with global scope. Prior to joining Gartner, Mr. Mandy was the global Chief Information Security Officer at QBE Insurance - one of the world's top 20 general insurance and reinsurance companies with operations in all the key insurance markets, where he was responsible for building and transforming QBE's information security function globally.

Leave a Reply

Your email address will not be published. Required fields are marked *