Opinion

Data security is integral to the booming healthcare sector

The adoption of Health Information Exchanges (HIEs), EHRs and automation, are on the one hand paving way for better patient care, and on the other hand, exposing private data to thefts and breaches.

Nitin Gaur Jul 02nd 2018 A-A+

In the process of going digital, the healthcare industry has been switching from physical to electronic health records (EHRs). Advocates of health information technology encourage EHRs because they improve quality of care, reduce cost, enhance patient mobility, are more reliable, and enable evidence-based medicine.

The adoption of Health Information Exchanges (HIEs), EHRs and automation, are on the one hand streamlining the functioning of the healthcare industry for better patient care, while on the other hand, they are exposing people to data thefts and breaches. Many healthcare organizations are facing data thefts, posing as a huge threat to clients' sensitive medical and personal information. A patient's medical record consists of not only his/her medical history, but also identity and personal information. Safeguarding this information is crucial to the acceptance of technology.

In this digitized age, data is an important corporate asset to be protected from data breaches that could cause financial losses, and more heavily, affect the trust factor among consumers. With the increasing number of data breaches in the healthcare sector, the need for data security has become vital.

Privacy and security of health information
Patients have to share every minute detail about their health with the doctors for them to provide the best treatment possible. This information is highly personal and should be secure and confidential. While progressing with the assistance of technology is inevitable, a patient’s trust in his medical partners cannot be compromised.

Data breaches and the growing threats
With the growing threats from hackers across the world and the various instances of data breaches, relying on legacy systems and processes further increases the chances of threats and vulnerabilities. In such cases, the companies need to invest in advanced technology and infrastructure to safeguard patient data, detect the threat and respond at the earliest. Similarly, implementation of vulnerability management solutions along with a dedicated team managing the cyber security operation center is also essential.

Steps to tackle threats

Most of the organizations cannot afford an exclusive, in-house information security personnel or designate an information technology (IT) staff member with cybersecurity as a collateral duty.

These firms lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.

The first step that an organization can implement is to secure its database by deploying a strong firewall and creating passwords that are tough to crack. It is always advisable to follow the standards and regulatory requirements such as ISO 27001 and those mandated by HIPAA and HITECH. Apart from this, healthcare providers should also adopt “SIEM”- Security Incidents and Events Management which records the login activity of any individual, and maintains a repository of such information for at least a couple of years for reference.

This process also records their pattern of logging in recording each individual’s timings too. The system can also help analyze the specific pattern of each individual’s login in terms of duration of usage or the content viewed. During instances of data theft, all these information will come handy, as the system will be able to identify suspicious patterns and narrow down the list of suspects. These stringent measures are essential for every healthcare provider to retain the trust of the consumers.

Data encryption
With the growing need for healthcare providers to share and access health information across disparate and dispersed information systems across organizational boundaries, the interoperability of information systems has assumed greater significance for improved quality of care, efficiency, and patient safety. Data privacy and security, and patient confidentiality are two important dimensions of interoperability.

Adopting data encryption in the healthcare industry is the second step towards protecting sensitive data. Encryption makes it difficult for a third party or any unauthorized parties to access Personal Health Information (PHI) and other such sensitive data. Encrypting data means converting the original form of information into encoded text that makes it difficult for any unauthorized third party to access such data. Cyber attackers would be unable to read such encoded text, ensuring safety of customer records within the healthcare organization.

Training employees in cybersecurity
Employees must undergo regular and comprehensive cybersecurity training as part of a strong information security strategy. Recent studies show that poor employee training can affect an organization's security measures.

There have been cases where unauthorized users, through illegal means, have accessed medical information. While these incidences do not take place too frequently in the healthcare industry, a few occurrences are enough to plant some cynicism in the minds of physicians and patients

According to the HIPPA Journal, ‘2017 was the worst year for healthcare security incidences. In terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or stolen. There were two breaches involving more than half a million records. The largest security incident was a breach of 697,800 records. This breach was an insider incident where a healthcare employee downloaded PHI onto a CD and USB drive. There were two cases of healthcare data breaches in 2017 that dominated the breach reports – hacking/IT incidents and insider breaches, both of which were behind 37% of the year’s breaches. 178 incidents were attributed to hacking/IT incidents. There were 176 breaches caused by insider wrongdoing or insider errors.’

Educating the employees about the possible data security threats is an essential step in fortifying a company against compromising its data. Weak employee training might make employees ignorant of data security and they might purposely compromise data security. Relevant training should be provided to the employees to ensure they understand and maintain multiple security processes to protect data and should be able to respond appropriately to any possible data breach.

Investment in data security

In order to ensure an organization has a strong data security management, healthcare organizations should conduct risk assessment, invest and adopt new methods of protecting data. Steps should be taken to maintain their networks, connected devices and other potential endpoints secure.

According to a report published in 2015, employee negligence accounted for 37 percent of all security breach incidents. Malware, in contrast, accounted for just 20 percent of such cases.
This is a percentage that can’t be ignored. Employees ought to be trained, to be wary of phishing and malwares that can pop up in their emails and website browsers. They should be taught to distinguish the fake disguised emails from the real ones.
To avoid the exploitation of employees’ naiveté, they should be well-trained in IT security. Such training programs help promote general awareness regarding the security practices of the company and the basics of social engineering and hacking techniques that could be used.  

Though this is not a prerequisite for healthcare companies, it is advisable to preemptively enforce these stringent measures, foreseeing the rising threats from digital data theft. The industry overall has to ensure that the stored data is secure from threats of any kind.

Nitin Gaur is Director – Information Security & Compliance, Omega Healthcare Management Services Pvt. Ltd.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).