Data Privacy Day 2020: As Health Information Goes Digital, Organizations Must Focus on Data Protection

Healthcare organizations have increasingly started adopting digital solutions to make healthcare systems more efficient. Not only does digitization eliminates paper records, it also consolidates all patient data in a centralized system. If patient data is linked with Aadhaar and made available online with the consent of the patient, not only will it improve convenience, it will also serve as a data repository that can be used for the purposes of medical research.  Advances in AI have made it possible for data scientists to train machine learning models while keeping the data confidential. This will soon make it possible for healthcare providers to provide more timely and accurate diagnoses and prognoses.

The recently introduced Data Protection Bill is a good step at laying out provisions to offer safeguards to citizens from exploitation of their personal data. However, it also leaves many questions unanswered. The Bill places personal health data under the category of ‘sensitive data’ which can be processed only based on ‘explicit consent’ by individuals. Data experts in healthcare believe greater clarity is required on these provisions to enable organizations frame their policies coherently. Healthcare being one of the largest users of data science and AI, the sector constantly processes and analyses healthcare data. Organizations in the field therefore also require greater assurance that their AI-based data analytical tools and algorithms which help them improve their services and offerings will not be affected.

However, digitization also makes healthcare organizations highly vulnerable to cyber attacks. Cybercriminals are particularly attracted to organizations that have high value information and a low risk tolerance, and organizations in the healthcare industry see more intrusion attacks per day compared to other industries. Possibility of electronic health records getting compromising or stolen, ransom ware attacks on hospitals and insurance companies are among the major threats. These threats might also include the possibility of attack on medical devices implanted on patients or attacks that disrupt digital infrastructure’s ability to provide patient care. Imagine a scenario where ICUs are running completely on digital systems and a malware attack disables the entire network of the hospital. Even a few minutes’ of such a disruption can be life threatening for critically ill patients.

Despite being a rich source of important data, healthcare industry has traditionally been underprepared to face these risks. Medical facilities should proactively strengthen their data security structures instead of just reacting to breaches.

Here are some measures healthcare organizations must adopt to bolster preparedness against cyber attacks:

1. Educate hospital staff- The human element is one of the most crucial aspects of data security, especially in the healthcare industry where a small lapse could lead to disastrous consequences for the healthcare organization. Awareness training should be made mandatory for hospital staff so that they exercise caution while handling sensitive patient data.
2. Restrict access-Make sure that only authorized users have access to patient information. Enforcing multifactor authentication is highly recommended because it requires users to go through two or more verification methods including:

- Information only the user will have access to, like PIN number or password

- a digitally generated temporary key that will get sent to a device that only the user would have access to

- Biometric data (fingerprints, facial recognition, eye scanning)

3. Implement usage controls- Healthcare organizations should make it standard practice to flag / block malicious activity in real time. Implement data controls to block actions that involve sensitive data, including web uploads, printing, transferring files to external drives, and sending unauthorized emails. Have a centralized protocol to discover and tag sensitive data so that they receive proper protection.
4. Use Firewalls to Strengthen Network Security– Firewalls help protect hospital systems from malware and they also give the IT department an insight into the most common brute force attacks faced by networks. Malware developers have become increasingly clever over the years, and the firewalls you setup need to be proactive in detecting cleverly disguised threats.
5. Backup all your data– Apart from the threat of hacking, hospital systems are vulnerable to a whole host of disasters, from fires and floods to chemical spillage and building collapse. Scheduled regular data backups and house the files in an offsite storage site to ensure that vital data stays secure.
6. Encrypt patient data– Make sure all patient data is encrypted. This makes it extremely difficult for hackers to interpret it even if they manage to breach it successfully. Make sure full-disk encryption is enforced at all end points storing sensitive data. If sensitive data is being transmitted via applications and web, deploy WPA, VPN, or SSL encryption to secure them. Last but not the least; make sure all communication containing sensitive data is encrypted.
7. Update medical software– If there is a weakness or security hole in your medical software, it can be easily exploited by experienced hackers. All they have to do is write code that targets a specific vulnerability and package it into malware. Once the system is infected with malware, it can be used to steal data and even gain complete control. So, if you have older versions of medical software with outdated security patches, makes sure you take the system offline and update them first.
8. Minimize risk from connected devices– Mobile phones are not the only vulnerable component in hospital networks. Office equipment, security cameras, and medical devices open up potential pathways for malicious actors. Hospitals cannot rely on device manufacturers to prioritize security owing to lengthy development cycles. Make sure that you have proper visibility of the ecosystem of connected devices. Once you do, take proactive measures to mitigate risks, such as patching, network segmentation, and removing unauthorized devices from the hospital network.
9. Perform risk assessments– Healthcare organizations should regularly review their records and check to see who accesses personal health information records. They should also use penetration testing to evaluate the effectiveness of their security measures, and be on the lookout for potential risks. If you find vulnerabilities, you must immediately enforce changes to secure patient data.  

The Future of Healthcare Security

Having more than one checkpoint for sensitive data can greatly improve security and allow patients to monitor their health information. Block chain enabled patient records could help redefine data security. By decentralizing medical databases, it will help eliminate large-scale data breaches. Even if hackers manage to get on a block chain system, they will be able to damage only one instance, and they will have to convince all the computers on the chain to accept the change. If they don’t, it will get rejected. Even if the hacker somehow manages to convince the other computers that the data was indeed correct, it’s still just one record, making it an ideal way to stop an attack in its tracks. Coupled with distributed data storage, block chain technology is perfect for maintaining medical records. 

Compliance and data security are pre-requisites for healthcare organizations, and compromising on either can lead to potentially disastrous and far-reaching consequences that adversely affect both patient trust and the reputation of the organization. Healthcare providers can no longer afford to be lax with their security measures, especially since their business is dependent on reliable, timely and accurate data management.

Dr. Shankar Narang, COO, Paras Healthcare