With healthcare service providers leveraging various digital tools, connected devices, and automated processes to bolster patient care, data privacy and security have emerged as major threat nowadays. As large amount of data is exchanged at various levels especially in form of EHR, and other clinical information, personal data of patients remain at stake which needs to be preserved from prying eyes of cyber attackers. Mukul Kumar Mishra of Elets news Network (ENN) explores various facets of data security, associated challenges and possible way out.
In the last few decades the whole narrative of delivery of healthcare services has witnessed huge transformation due to sea change in requirements of people who don’t want only quality and affordable care nowadays but want to play an active part in patient care mechanism. Cutting-edge technology, mobile applications and various automated processes have not only led to personal touch to care but also bridged the multifarious gaps between providers and seekers. While the technology has proved game changer in facilitating things, it also poses risk at times if not used in prudent manner. Precautionary measures are must to not let it become fatal for patients. This holds true for deluge of healthcare data which is vulnerable enough to be compromised easily in absence of proper security compliance.
DATA BREACHES, PRIVACY AND SECURITY AMONG BIG CHALLENGES
With the healthcare industry making giant leap towards digitalization, there is tons of patient data being generated by hospital chains, labs, and private clinics & practioners.
“Digital Health or Electronic Health Records (EHR) maintains the data of patient’s name, age, contact information, vital Signs, investigation reports, present & past history, allergies and present & past treatment details. It’s challenging task for IT to prevent all the personal and critical information of every individual,” says Chandrasekar Reddy, CIO, Jupiter Hospital.
In the wake of various automated applications undertaken by service providers to ease of processes and bring more transparency in delivery of care, the data breaches, privacy and security are major issues baffling Industry people.
“Data security in health informatics is a top concern not only for enterprise and small hospitals, but for everyday patients & provider as well. With widespread data breaches exposing everything from healthcare provider’s login credentials to personal health records, patients must be savvy about data security and take steps to protect their own information,” says Abdullah Saleem, CIO, Omni Hospitals.
Shuvankar Pramanik, CIO, Sir Ganga Ram hospital believes, “Healthcare organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and nation- state actors. The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation.”
DATA—PLAYING PIVOTAL ROLE IN TRANSFORMING HEALTHCARE ECOSYSTEM
The recent years have seen a radical shift in how data is collected, stored, maintained, managed, and analyzed, encrypted and visualized. This new ecosystem has the potential to not only improve disease prevention, but also increase the accuracy of diagnosis, provide safe medications, and make treatments more effective. It encourages a personalized and patient-centric approach to medicine instead of ‘one-size-fits-all’.
TECHNOLOGY-DRIVEN APPLICATIONS MAKE DATA EASILY AVAILABLE AND ACCESSIBLE
Individuals today are no longer the passive seekers but they have become actively involved in improving their health. Around 400,000 health apps are available today that monitor a variety of health data – heart rate, blood pressure, sleep patterns, calories intake, physical activity, blood glucose, cholesterol levels, and several other parameters. According to an estimate, we have 2,975 start-ups for digital healthcare solutions in India, which uses IT applications to seamless services.
“Data threats are never static. There are millions being created every year. Lack of appropriate measures is one of the most important reasons for a majority of security threats. These measures refer to protection provided by upgraded software applications, security patches, threat detection tools, and so on. Any system needs these tools to protect itself from any threat,” Chaitanya Shravanth, Chief Digital Officer & Chief Marketing Officer, Cloudnine Group of Hospitals says.
“With several vendors providing various solutions, you get a more precise defense against the security threats targeting Big Data applications. Healthcare organizations store, maintain and transmit huge amounts of data to support the delivery of efficient and proper care. Nevertheless, securing these data has been a daunting requirement for decades,” Shravanth adds.
In an attempt to improve the quality, service efficiency, costs of healthcare and reduce medical errors, providers are today leveraging latest digital technology like EHRs, EMRs, personal health record (PHR), medical practice management software (MPM), and many other healthcare data components.
Though these digital technologies have enabled patients to avail best personalised care and services, these tools also put them at risk. This is due to the fact that large amount of data is exchanged at various levels and aggregators hardly have robust mechanism in place to make data safe & secured.
Experts are groping in the dark to insulate IT systems in order to prevent the disclosure of personally identifiable and critical information of every individual. Cybersecurity holds huge significance in this context. “Differently, hospital should evaluate the application like HIMS, EMR and APPs to run their business as mandatory feature of data security and safety during sharing the patient information internally and externally,” Saleem adds.
RECENT LEAK OF DATA SPEAKS VOLUMES ABOUT GRAVITY OF ISSUE
German security firm Greenbone Networks recently revealed that nearly one million medical files and 107 million related medical images of Indian patients were freely accessible on the internet. This comprises details such as patient name, date of birth and ID, name of the medical institution, ailment, physician names and other sensitive details. Among the leaked data were medical records belonging to two of the Mumbai’s renowned healthcare facilities–Breach Candy Hospital and Utkarsh Scans, a medical imaging provider, the firm found during the investigation. It‘s being said that security protocol to be followed in securing servers storing images had not been followed.
Another incident of 2019 gives inkling that India needs to protect healthcare data in urgent basis. In last year, a US-based cybersecurity firm said hackers stole 68 lakh records of patient and doctor information from a leading India-based healthcare website. Cyber criminals from China were suspected to be behind the data thief.
WHAT KIND OF DATA ISSUES WHICH CONCERN INDUSTRY PEOPLE?
On the basis issues cropping up from last some years one can conclude that data privacy and security comprises data theft, unauthorised access, improper disposal of data, data loss, and hacking kind of incidents.
MOBILE HEALTH DEVICES
Mobile health devices facilitate collaborative care system between doctors and patients. While at one point doctors enjoy viewing patients’ information and receive clinical information via mobile apps, people are getting more and more access to data, risking security.
Cyber thieves try to steal information related with billing and insurance records. Their objective is to find out crucial information like security numbers, credit card info, etc., that can prove beneficial to them in monetary terms.
MEDICAL IDENTITY THEFT
Healthcare providers need to secure access to all their clinical applications since there have been cases of medical theft identity. Hackers used patients’ data to initiate their access into the information and get going with their way to more.
Cloud computing is used widely in the healthcare industry and it has its own set of security issues. Data suggests around 10 percent cloud services used in healthcare fall into category of high risk while 70 percent into medium risk category.
Often people mistake a compliant organization for a secure one. However, more than often, compliances turn out to be a more risky affair. It gives rise to external threats to critical information.
GOVERNMENT CAME WITH DRAFT PROPOSAL–‘DISHA’ IN 2018
At present, the healthcare sector lacks a single, comprehensive law and procedures that can regulate the collection and use of critical information of patients. In April 2018, the government came out with a draft proposal Digital lnformation Security in Healthcare Act (DISHA), inviting comments from public. In the draft, the government had proposed to set up a nodal body called the “National Digital Health Authority” through an Act of Parliament that will not only secure electronic health data but also regulate storage and exchange of electronic health records.
WHAT COULD BE DONE TO PROTECT DATA?
In the wake of huge risk of data theft, stakes are high on providers to take measures to insulate the system from hackers. As per Dr Naresh Yallapragada, CIO, KIMS Hospitals, measures like incentives to the stakeholders on achieving the implementation of standards, awareness sessions to all the stakeholders about the importance of data security, certifications for all technology providers before they sell their solutions, and periodic audits both internally and externally to verify if the standards are implemented or not, are key to protect data. “While some security measures can guarantee that no data security breaches will affect you, implementing multiple layers of personal data security protections substantially reduces the likelihood that your data will be compromised,” Saleem says.
“We should dedicate at least one-person full time to lead the information security program, and prioritize that role so that he or she has sufficient authority, status and independence to be effective. Furthermore, updates on our organization’s strategic cyber risk profile to check whether adequate measures are dynamically being taken to mitigate the constantly evolving cyber risk,” Pramanik adds.
Reddy holds the view that we can secure EHR data with secured ways of communication with HL7 protocols/encrypting and security protocols to access data.
“While all efforts are in progress by the Government through the National Digital Health Blueprint (NDHB) and the private players supporting it in laying out a framework in which Healthcare in the future can be delivered in India, it is imperative that all the necessary stakeholders arrive at a consensus in making these efforts mandatory so that Healthcare can be delivered in a more efficient, effective and secure way. Regulations such as HIPAA by the US, GDPR by Europe talk extensively on such issues and every player within this space needs to abide by these guidelines for their existence,” Yallapragada says.