Data security seems to be a big challenge to providers who have been leveraging digital technology, mobile applications and various automated processes to enhance care. Understanding the threat looming large, Industry is taking many measures including application security and network security, writes K K Singh, CIO, Nayati Healthcare & Research Ltd, for Elets News Network (ENN).
Theft, data loss, hacking, and unauthorized account access are ways in which healthcare data breaches happen. It includes either the personal health information of any individual’s electronic health record or medical billing information from their health insurance.
Nowadays, every second day hospitals are in the news as victim of a data breach. In the era of digital technology with extensive use of mobile apps, various automated processes & patient portals, data security & data privacy have became critical.
Proper application security and network security are key to shield data and compromise being happening in the first place. Encryption is the best way to protect your patients’ data from being accessed by anyone who finds his way into the systems.
It is important that encryption is implemented both at rest and in transit. In addition, the third parties and vendors who have access to your healthcare network or databases must handle patient data in proper manner. Training on proper usage and handling of Protected Health Information (PHI) is recommended to reduce data breaches caused by employee error due to lost device or accidental disclosure.
The healthcare delivery system has witnessed tremendous change in the past few years. As the healthcare industry evolves courtesy latest technology and legislation, the security threat to our most personal data is also changing.
HERE ARE FIVE OF THE BIGGEST HEALTHCARE DATA SECURITY CHALLENGES IN THE DIGITAL AGE:
1. Electronic Health Records: Lack of enforcement of law, a reluctant approach from the technology providers as well as care providers are some of the serious challenges for implantation of appropriate solution to prevent data theft.
2. User error in technology adoption: Another healthcare data security hazard of electronic health record is simple patient user error. If you store your data in unencrypted folders or send your medical records to someone via email, you pave a simple pathway for a hacker to access your most personal data.
3. Rise of Hacktivism: Nothing is sacred in the realm of data theft. Increase in the hacking in healthcare shows just how vulnerable healthcare data security can be to a group of determined hackers.
4. Adoption of cloud and mobile technology without proper security measures: Adoption of cloud in healthcare seems to be the future and providers are all set to leverage it to bolster care delivery system. At the same time, hackers are also working overtime to break the security layers. Lack of knowledge to implement right security solution is one the major challenges.
5. Outmoded technology in hospitals: Running a hospital is costly affair, and when you’re prioritizing the latest equipment technology or increasing staff to meet growing needs, sometimes IT budget can fall by the wayside. End-of-life software and infrastructure provide a healthcare data security risk.
FOLLOWING TECHNICAL MEASURES CAN PREVENT DATA THEFT.
1. Infrastructure Security:
- Secure Socket Layer (SSL) for Data on Transit with SSL certificates maintained and validated on a regular basis
- Filesystem or Database Encryption for Data at Rest
- Identity & Access Management using LDAP or similar Login and JWT Tokens
- Web Application Firewall & Shield for malicious attacks and DDoS
- Access controlled using Bucket Policy
- Patch Management Process implemented for regular Security scanning of container images on ECR repository.
2. Application Security on the Platform
- Backend application and Databases should reside on a secured network
- User permission boundaries should be maintained using IAM Roles
- User Authentication (LDAP), JWT tokens, and Role-based Authorization
- User Access Governance process should be defined and documented for a web application
3. Data Security & Privacy for the Patients
- Data Security using Server-side Encryption databases should be implemented
- Data Privacy for Sensitive Personal Information (SPI) and Personal Identification Info (PII) data should be encrypted, such as Auth Token, Email ID, Phone No., DOB, KYC documents, Patient Health info or records, etc.
- Key generation and management using Key Management Service (KMS)