Securing Patient Data While Embracing Innovation
As healthcare organizations look to technology innovation to improve patient care, they also need to make sure they are securing patient data in the face of new threats and vulnerabilities.
Source: thinkstock
- Healthcare organizations are increasingly looking to the latest technologies to improve patient care and cost efficiencies. These technologies include telemedicine and virtual care, mobile devices and wearables, the Internet of Things (IoT), artificial intelligence (AI), big data, blockchain, and the cloud.
In addition, healthcare organizations are employing IoT and other advanced technologies to create the connected hospitals of the future.
“Sensors, artificial intelligence, big data analytics, and blockchain are vital technologies for IoMT [Internet of Medical Things] as they provide multiple benefits to patients and facilities alike,” said Varun Babu, senior research analyst at Frost & Sullivan’s TechVision practice. "For instance, they help with the delivery of targeted and personalized medicine while simultaneously ensuring seamless communication and high productivity within smart hospitals."
Unfortunately, with new technologies come new threats. For example, telemedicine and virtual care raise patient data security concerns because of their reliance on mobile devices and unsecured communications links.
Security risks exist not only in the technology, but also with patients, particularly when they use their personal mobile devices. Few personal mobile devices are encrypted, and many aren’t even password-protected.
Cybercriminals are targeting connected devices used in IoT systems, the FBI warned. The attackers are looking for poorly patched firmware and software, hard-coded usernames and passwords, inadequate authentication, and other weaknesses to gain access to and control over these devices.
How secure is the cloud?
More healthcare organizations are using the cloud to help with EHRs, data and image storage, application delivery, and other data-intensive tasks. However, some are balking at adopting the cloud because of patient data security, privacy and HIPAA compliance concerns.
When considering the use of cloud computing services, healthcare organizations need to evaluate what types of data will be hosted in cloud environments, the associated regulatory requirements, and how the transition will impact their compliance planning, according to the latest HIMSS Cloud Computing Toolkit.
Once a healthcare provider makes the decision to use the cloud, it should ensure strong authentication is used so that no unauthorized users can access sensitive patient data.
Addressing security challenges
While these new technologies promise to transform patient care, they also complicate the task of securing patient data. But patient data will continue to be a lucrative target for cyberattackers. Healthcare providers need to recognize the evolving security challenges in this complex environment.
“Understanding the landscape that you are operating in as an individual organization is key to being prepared. The greater the complexity of the security and data sprawl, the more complex the security data architecture models end up being,” observed Fernando Martinez, senior vice president and chief digital officer at the Texas Hospital Association, in a September 2018 HealthITSecurity.com webcast.
“Being prepared and understanding how all of these things are shaping up in your environment is exceedingly important. How you identify and manage your environment is key to being prepared,” he added.
Martinez recommended organizations conduct risk analysis to ensure patient data is secured and HIPAA compliance is met. A full 88 percent of the 42 organizations that have paid fines to the Office for Civil Rights (OCR) failed to conduct a sufficient risk analysis, he noted.
In a May 2018 article, OCR explained that risk analysis is not penetration testing or compliance gap assessment. But risk analysis needs to include an inventory of all information assets used to create, maintain, retrieve, or transmit patient data, as well as the threats, vulnerabilities, likelihood, impact, and controls associated with that data.
“Most organizations have much of this in some form, but they don’t have a cohesive, singular tool or solution that can bring it together and provide a risk analysis picture for the organization,” Martinez said.
He encouraged organizations to adopt the “three E’s” in developing their patient data security program:
- Evaluate: Conduct an appropriate risk analysis to catalog the location of patient data and the security measures in place to protect that data.
- Educate: Implement comprehensive and consistent security training for the workforce and user base.
- Exercise: Hold simulated cyber incidents to test the organization’s response under controlled conditions.
The bottom line is that to secure patient data in the future, organizations need to do their homework on the threats, ensure they’re prepared through risk analysis, training, and simulated exercise, and deploy the appropriate technology as part of a comprehensive security program.
