How to Prevent Data Breaches in Healthcare and Protect PHI

As the end of the year approaches and the holiday season brings a slight respite to many businesses, it's the perfect time to review and strengthen your data security practices. With fewer employees in the office and a natural dip in activity, the holidays present an opportunity to take proactive steps that can safeguard your organization in the new year. From revisiting access permissions to guarding sensitive data access during downtime, these tips will help you ensure that your data remains protected, even when things are quieter.

‍

Here's how you can bolster your business’s security efforts before the year ends:

‍

1. Review Access and Permissions Before the New Year
   ‍Take advantage of the holiday downtime to review data access permissions in your systems. Ensure employees only have access to the data they need, and revoke permissions for users who no longer require them (or worse, are no longer employees). It's a proactive way to start the new year securely.
2. Limit Access to Sensitive Data During Holiday Downtime
   With many staff members out of the office, review who has access to sensitive data. Temporarily restrict access to critical systems and data for those not on active duty to minimize the risk of accidental or malicious data exposure during the holidays.
3. Have a Data Usage Policy
   ‍With the holidays bringing a mix of time off and remote work, it’s a good idea to revisit your data usage policy. Creating and maintaining a data usage policy ensures clear guidelines for who can access what data, when, and how, especially during the busy holiday season when staff availability may be lower. By setting clear rules, you can help prevent unauthorized access or misuse, ensuring that your data remains secure throughout the holidays, and all the way to 2025.
4. Eliminate Unnecessary Data to Reduce Shadow Data Risks
   Data security risks increase as long as data remains accessible. With the holiday season bringing potential distractions, it's a great time to review and delete any unnecessary sensitive data, such as PII or PHI, to prevent shadow data from posing a security risk as the year wraps up with the new year approaching.
5. Apply Proper Hygiene to Protect Sensitive Data
   For sensitive data that must exist, be certain to apply proper hygiene such as masking/de-identification, encryption, logging, etc., to ensure the data isn’t improperly disclosed. With holiday sales, year-end reporting, and customer gift transactions in full swing, ensuring sensitive data is secure is more important than ever. Many stores have native tools that can assist (e.g., Snowflake DDM, Purview MIP, etc.).
6. Monitor Third-Party Data Access
   Unchecked third-party access can lead to data breaches, financial loss, and reputational damage. The holidays often mean new partnerships or vendors handling seasonal activities like marketing campaigns or order fulfillment. Keep track of how vendors collect, use, and share your data. Create an inventory of vendors and map their data access to ensure proper oversight, especially during this busy time.
7. Monitor Data Movement and Transformations
   Data is dynamic and constantly on the move. Monitor whenever data is copied, moved from one environment to another, crosses regulated perimeters (e.g., GDPR), or is ETL-processed, as these activities may introduce new sensitive data vulnerabilities. The holiday rush often involves increased data activity for promotions, logistics, and end-of-year tasks, making it crucial to ensure new data locations are secure and configurations are correct.
8. Continuously Monitor for New Data Threats
   Despite our best protective measures, bad things happen. A user’s credentials are compromised. A partner accesses sensitive information. An intruder gains access to our network. A disgruntled employee steals secrets. The holiday season’s unique pressures and distractions increase the likelihood of these incidents. Watch for anomalies by continually monitoring data activity and alerting whenever suspicious things occur—so you can react swiftly to prevent damage or leakage, even amid the holiday bustle. A user’s credentials are compromised. A partner accesses sensitive information. An intruder gains access to our network. A disgruntled employee steals secrets. Watch for these anomalies by continually monitoring data activity and alerting whenever suspicious things occur - so you can react swiftly to prevent damage or leakage.

Wrapping Up the Year with Stronger Data Security

By taking the time to review and update your data security practices before the year wraps up, you can start the new year with confidence, knowing that your systems are secure and your data is protected. Implementing these simple but effective measures will help mitigate risks and set a strong foundation for 2025. Don't let the holiday season be an excuse for lax security - use this time wisely to ensure your organization is prepared for any data security challenges the new year may bring.

As we reflect on 2024, a year marked by a surge in cyber attacks, we are reminded of the critical importance of prioritizing data security. Widespread breaches in various industries, such as the significant Ticketmaster data breach impacting 560 million users, have highlighted vulnerabilities and led to both financial losses and damage to reputations. In response, regulatory bodies have imposed strict penalties for non-compliance, emphasizing the importance of aligning security practices with industry-specific regulations.

‍

By September 2024, GDPR fines totaled approximately €2.41 billion, significantly surpassing the total penalties issued throughout 2023. This reflects stronger enforcement across sectors and a heightened focus on data protection compliance. Entering 2025, the dynamic threat landscape demands a proactive approach. Technology's rapid advancement and cybercriminals' adaptability require organizations to stay ahead. The importance of bolstering data security cannot be overstated, given potential legal consequences, reputational risks, and disruptions to business operations that a data breach can cause.

‍

The data security resolutions for 2025 outlined below serve as a guide to fortify defenses effectively. Compliance with regulations, reducing attack surfaces, governing data access, safeguarding AI models, and ensuring data catalog integrity are crucial steps. Adopting these resolutions enables organizations to navigate the complexities of data security, mitigating risks and proactively addressing the evolving threat landscape.

Adhere to Data Security and Compliance Regulations

The first data security resolution you should keep in mind is aligning your data security practices with industry-specific data regulations and standards. Data protection regulatory requirements are becoming more stringent (for example, note the recent SEC requirement of public US companies for notification within 4 days of a material breach). Penalties for non compliance are also increasing.

With explosive growth of cloud data it is incumbent upon regulated organizations to facilitate effective data security controls and to while keeping pace with the dynamic business climate. One way to achieve this is through adopting Data Security Posture Management (DSPM) which automates cloud-native discovery and classification, improving accuracy and reporting timeliness. Sentra supports more than a dozen leading frameworks, for policy enforcement and streamlined reporting.‍

Reduce Attack Surface by Protecting Shadow Data and Enforcing Data Lifecycle Policies

As cloud adoption accelerates, data proliferates. This data sprawl, also known as shadow data, brings with it new risks and exposures. When a developer moves a copy of the production database into a lower environment for testing purposes, do all the same security controls and usage policies travel with it? Likely not. 

Organizations must institute security controls that stay with the data - no matter where it goes. Additionally, automating redundant, trivial, obsolete (ROT) data policies can offload the arduous task of ‘policing’ data security, ensuring data remains protected at all times and allowing the business to innovate safely. This has an added bonus of avoiding unnecessary data storage expenditure.‍

Implement Least Privilege Access for Sensitive Data

Organizations can reduce their attack surface by limiting access to sensitive information. This applies equally to users, applications, and machines (identities). Data Access Governance (DAG) offers a way to implement policies that alert on and can enforce least privilege data access automatically. This has become increasingly important as companies build cloud-native applications, with complex supply chain / ecosystem partners, to improve customer experience. DAG often works in concert with IAM systems, providing added context regarding data sensitivity to better inform access decisions. DAG is also useful if a breach occurs - allowing responders to rapidly determine the full impact and reach (blast radius) of an exposure event to more quickly contain damages.‍

Protect Large Language Models (LLMs) Training by Detecting Security Risks

AI holds immense potential to transform our world, but its development and deployment must be accompanied by a steadfast commitment to data integrity and privacy. Protecting the integrity and privacy of data in Large Language Models (LLMs) is essential for building responsible and ethical AI applications. By implementing data protection best practices, organizations can mitigate the risks associated with data leakage, unauthorized access, and bias/data corruption. Sentra's Data Security Posture Management (DSPM) solution provides a comprehensive approach to data security and privacy, enabling organizations to develop and deploy LLMs with speed and confidence.‍

Ensure the Integrity of Your Data Catalogs

Enrich data catalog accuracy for improved governance with Sentra's classification labels and automatic discovery. Companies with data catalogs (from leading providers such as Alation, Collibra, Atlan) and data catalog initiatives struggle to keep pace with the rapid movement of their data to the cloud and the dynamic nature of cloud data and data stores. DSPM automates the discovery and classification process - and can do so at immense scale - so that organizations can accurately know at any time what data they have, where it is located, and what its security posture is. DSPM also provides usage context (owner, top users, access frequency, etc.) that enables validation of information in data catalogs, ensuring they remain current, accurate, and trustworthy as the authoritative source for their organization. This empowers organizations to maintain security and ensure the proper utilization of their most valuable asset—data!

How Sentra’s DSPM Can Help Achieve Your 2025 Data Security Resolutions

By embracing these resolutions, organizations can gain a holistic framework to fortify their data security posture. This approach emphasizes understanding, implementing, and adapting these resolutions as practical steps toward resilience in the face of an ever-evolving threat landscape. Staying committed to these data security resolutions can be challenging, as nearly 80% of individuals tend to abandon their New Year’s resolutions by February. However, having Sentra’s Data Security Posture Management (DSPM) by your side in 2025 ensures that adhering to these data security resolutions and refining your organization's data security strategy becomes guaranteed.

‍

To learn more, schedule a demo with one of our experts.

Why New Healthcare Cybersecurity Regulations Are Critical

In today’s healthcare landscape, cyberattacks on hospitals and health services have become increasingly common and devastating. For organizations that handle vast amounts of sensitive patient information, a single breach can mean exposing millions of records, causing not only financial repercussions but also risking patient privacy, trust, and care continuity.

Top Data Breaches in Hospitals in 2024: A Year of Costly Cyber Incidents

The year 2024 has seen a series of high-profile data breaches in the healthcare sector, exposing critical vulnerabilities and emphasizing the urgent need for stronger cybersecurity measures. Among the most significant incidents was the breach at Change Healthcare, Inc., which resulted in the exposure of 100 million records. As one of the largest healthcare data breaches in history, this event highlighted the challenges of securing patient data at scale and the immense risks posed by hacking incidents. Similarly, HealthEquity, Inc. suffered a breach impacting 4.3 million individuals, highlighting the vulnerabilities associated with healthcare business associates who manage data for multiple organizations. Finally, Concentra Health Services, Inc. experienced a breach that compromised nearly 4 million patient records, raising critical concerns about the adequacy of cybersecurity defenses in healthcare facilities. These incidents have significantly impacted patients and providers alike, highlighting the urgent need for robust cybersecurity measures and stricter regulations to protect sensitive data.

New York’s New Cybersecurity Reporting Requirements for Hospitals

In response to the growing threat of cyberattacks, many healthcare organizations and communities are implementing stronger cybersecurity protections. In October, New York State took a significant step by introducing new cybersecurity regulations for general hospitals aimed at safeguarding patient data and reinforcing security measures across healthcare systems. Under these regulations, hospitals in New York must report any “material cybersecurity incident” to the New York State Department of Health (NYSDOH) within 72 hours of discovery.

This 72-hour reporting window aligns with other global regulatory frameworks, such as the European Union’s GDPR and the SEC’s requirements for public companies. However, its application in healthcare represents a critical shift, ensuring incidents are addressed and reported promptly. The rapid reporting requirement aims to:

• Enable the NYSDOH to assess and respond to cyber incidents across the state’s healthcare network.
• Help mitigate potential fallout by ensuring hospitals promptly address vulnerabilities.
• Protect patients by fostering transparency around data breaches and associated risks.

For hospitals, meeting this requirement means refining incident response protocols to act swiftly upon detecting a breach. Compliance with these regulations not only safeguards patient data but also strengthens trust in healthcare services.

With these regulations, New York is setting a precedent that could reshape healthcare cybersecurity standards nationwide. By emphasizing proactive cybersecurity and quick incident response, the state is establishing a higher bar for protecting sensitive data in healthcare organizations, inspiring other states to potentially follow as well.

HIPAA Updates and the Role of HHS

While New York leads with immediate, state-level action, the Department of Health and Human Services (HHS) is also working to update the HIPAA Security Rule with new cybersecurity standards. These updates, expected to be proposed later this year, will follow a lengthy regulatory process, including a notice of proposed rulemaking, a public comment period, and the eventual issuance of a final rule. Once finalized, healthcare organizations will have time to comply.

In the interim, the HHS has outlined voluntary cybersecurity goals, announced in January 2024. While these recommendations are a step forward, they lack the urgency and enforceability of New York’s state-level regulations. The contrast between the swift action in New York and the slower federal process highlights the critical role state initiatives play in bridging gaps in patient data protection.

Together, these developments—New York’s rapid reporting requirements and the ongoing HIPAA updates—show a growing recognition of the need for stronger cybersecurity measures in healthcare. They emphasize the importance of immediate action at the state level while federal efforts progress toward long-term improvements in data security standards.

Penalties for Healthcare Cybersecurity Non-Compliance in NY

Non-compliance with any health law or regulation in New York State, including cybersecurity requirements, may result in penalties. However, the primary goal of these regulations is not to impose financial penalties but to ensure that healthcare facilities are equipped with the necessary resources and guidance to defend against cyberattacks. Under Section 12 of health law regulations in New York State, violations can result in civil penalties of up to $2,000 per offense, with increased fines for more severe or repeated infractions. If a violation is repeated within 12 months and poses a serious health threat, the fine can rise to $5,000. For violations directly causing serious physical harm to a patient, penalties may reach $10,000. A portion of fines exceeding $2,000 is allocated to the Patient Safety Center to support its initiatives. These penalties aim to ensure compliance, with enforcement actions carried out by the Commissioner or the Attorney General. Additionally, penalties may be negotiated or settled under certain circumstances, providing flexibility while maintaining accountability.

Importance of Prioritizing Breach Reporting

With the rapid digitization of healthcare services, regulations are expected to tighten significantly in the coming years. HIPAA, in particular, is anticipated to evolve with stronger privacy protections and expanded rules to address emerging challenges.

Healthcare providers must make cybersecurity a top priority to protect patients from cyber threats. This involves adopting proactive risk assessments, implementing strong data protection strategies, and optimizing breach detection, response, and reporting capabilities to meet regulatory requirements effectively.

Data Security Platforms (DSPs) are essential for safeguarding sensitive healthcare data. These platforms enable organizations to locate and classify patient information, such as lab results, prescriptions, personally identifiable information, or medical images - across multiple formats and environments, ensuring comprehensive protection and regulatory compliance.

Breach Reporting With Sentra

A proper classification solution is essential for understanding the nature and sensitivity of your data at all times. With Sentra, you gain a clear, real-time view of your data's classification, making it easier to determine if sensitive data was involved in a breach, identify the types of data affected, and track who had access to it. This ensures that your breach reports are accurate, comprehensive, and aligned with regulatory requirements.

Sentra can help you to adhere to many compliance frameworks, including PCI, GDPR, SOC2 and more, that may be applicable to your sensitive data as it travels around the organization. It automatically will alert you to violations, provide insight into the impact of any compromise, help you to prioritize associated risks, and integrate with common IR tools to streamline remediation. Sentra automates these processes so you can focus energies on eliminating risks.

‍