Healthcare systems today rely on a growing ecosystem of software platforms—EHRs, billing systems, insurance portals, benefits-administration tools, cloud storage services, and third-party applications. Each system has a different business function, but all have access to sensitive patient information and insurance data. When these environments do not transmit information securely or reliably, one of the most ignored cybersecurity vulnerabilities in healthcare occurs: data fragmentation. 

Data fragmentation became more apparent after the most recent Healthcare Interactive (HCIactive) Data Breach incident when an unauthorized third party accessed systems that contain personal identification information, insurance enrollment information, and medical records. While an investigation is still ongoing, the breach exposes a more prominent industry problem: data is stored in so many unrealiable and disconnected systems that organizations can not monitor it appropriately.

Why Fragmented Systems Increase Cyber Risk

Healthcare data travels through dozens of touchpoints. A patient's information could reside in electronic health records, imaging systems, insurance carriers, pharmacy systems, networks referring patients, claim processors and employer benefit portals. Each of these systems could be unmonitored and not fully integrated, increasing:

1. Increased Entry Points for Attackers

Each system has its own login processes, data architecture, APIs and security posture. Attackers only need to compromise the least secure system.

2. Minimal Visibility on Cross Platform Movement

Security teams often struggle to track where data moves in real time across systems. They may not be able to identify unauthorized accesses to data that happen in multiple applications.

3. Delayed Detection of Breaches

Data fragmentation creates fragmented logs. Many breaches aren't monitored when the monitoring is split among vendors and platforms and may go unnoticed for days or weeks.

4. Increased Risk of Misconfigurations

Healthcare IT teams often have a mix of legacy tools and integrated modern cloud applications. With high manual configuration, outdated integration, access polymorphism, misconfiguration and inconsistent access rules, the risk of vulnerability created is high.

5. Low Controls Around Vendors and Third Party Partners

So many healthcare organizations utilize third party platforms for benefits, enrollment, claims - creating layers of trust. This trust does not invariably extend to security controls for these vendors.

The Real-World Effects of Fragmentation

Fragmentation can aggravate even little breaches into wide-ranging exposures. If sensitive information is replicated across systems, as soon as an attacker has access to one environment, the attacker will have have gained access to the other systems indirectly through post-exploitation. As data becomes distributed, it is harder to know what was accessed and on what date or by whom. 

This is even more concerning in environments where

• PHI is processed by multiple vendors
• Insurance data is transported to employers from brokers or carriers or to brokers and/or carriers
• Clinical data is stored in separate systems from billing data.
• Older systems are still connected to modern cloud-based tools.

Healthcare organizations generally underestimate how many different places their data marches to create a quiet but risky attack surface.

Ways for Healthcare Organizations to Mitigate Fragmentation Risk

1. Centralized Monitoring and Logging
Through visibility into multiple systems, consolidated security dashboards can help identify unusual behaviors sooner.

2. Regularly Map Data Flows
Organizations should document where PHI actually moves, where it is stored, and the vendors who may interact with that PHI.

3. Secure Third Party Security Requirements
Vendors should have stringent security requirements, be regularly audited, and have transparent practices for notifying the organization of breaches.

4. Implement Strong Access Controls
An organization's roles, permissions, and even authentication should be consistent across systems, rather than left to the discretion of each system.

5. Decommission or Modernize Systems
Many legacy systems lack modern security capabilities, and they introduce additional risks associated with interaction between systems.

Why is this Issue Important?

Data fragmentation is often less visible than ransomware or phishing attacks, but it is just as detrimental. Healthcare ecosystems become increasingly interconnected every year, but the security measures taken to protect them often remain siloed. Until healthcare organizations recognize data flows, and not just systems, as part of the security architecture, breaches will continue to take advantage of the gaps between platforms.