Light Dark
April 1, 2019 By Mark Stone 4 min read
Data Protection
Healthcare

The healthcare industry is moving toward the universal use of electronic health records (EHRs), digital documentation that represents a secure record of our complete health history. With EHRs, your healthcare provider gets real-time access to your relevant medical data, enabling them to make faster and more accurate treatment decisions.

But all this data has to be stored somewhere. It’s no secret that the healthcare industry is hit hardest when it comes to data breaches, and healthcare security is going to play a huge role if the utopian vision of a purely digital ecosystem is to be realized.

In some countries, however, the medical system is already well on its way to becoming fully digital. In Sweden, for example, 41 percent (about 4.1 million) of the population had already created their own account to use personal e-services on the country’s online portal by June 2017, according to Philips. And in Canada, there are private initiatives to facilitate the EHR process by providing Canadians secure access to their health records.

So why is the U.S. not moving as quickly to adopt a digital system? There are many reasons for this reluctance — some political, some ethical and some based on the sheer number of healthcare providers and the population.

Still, cybersecurity may be the most critical factor. Perhaps incidents such as the flaw that left 170,000 hours of 2.7 million medical calls exposed online for six years in Sweden are prompting us to take our time.

Two Nations, Two Disparate Health Ecosystems

To get an idea of where the U.S. may be headed, we can look to Canada, a country with an estimated population of around 37 million. There, the Toronto-based Dot Health already has relationships with 3,000 healthcare providers across the country and provides an app for Canadians to display their health information in one place. The app updates data whenever it changes and the company goes over and above to secure it. How it protects the data is paramount, but we’ll address this later on.

In Canada, each province and territory is responsible for organizing and delivering health services and supervising providers. This territorial split represents the largest stumbling block for companies like Dot Health that want to be a catalyst for a fully digital system.

“If [healthcare] was federally done, it would be very different,” said Huda Idrees, founder and CEO of Dot Health. “It makes it really difficult when it seems each of the provinces is trying to compete with each other.”

Idrees explained that while a fully digital healthcare system in Canada may have its own set of challenges, the U.S. faces a particularly bumpy road ahead.

“Going digital [in the U.S.] is especially difficult in healthcare, where it’s completely out-of-pocket,” Idrees said. “There are very difficult innovations around EHR, and providers may not want to talk to each other because they have business interests that are in conflict.”

Surpassing Healthcare Security Standards

When it comes to data, the most coveted for threat actors is probably that which comes from the healthcare industry. Understandably, Idrees gets a lot of questions about security, privacy and information protection — a core focus for her company from the very beginning. For Dot Health, security must not only be much better than the healthcare providers, but strive for excellence in data protection to exceed standards in any industry, let alone healthcare.

To achieve this on a technical level, one example Idrees provided is in how they store health records. Instead of monolithic databases, the company spreads data over several databases that contain bits and pieces of what makes up a whole electronic health record.

“You would need to breach 12 different databases and also have the patient’s own login key in order to decipher one complete health record,” Idrees said.

Before going live, Dot Health spent eight months with third-party security specialists to help ensure compliance with all related legislation. On top of that, the company undergoes penetration testing from a third-party vendor three times a year.

In writing about healthcare security, I’ve learned that, unfortunately, pen testing rarely occurs that frequently for healthcare companies. But shouldn’t it, especially when providers are protecting our most sensitive health data?

Not So Fast, We Still Have Work to Do

Perhaps we’re getting ahead of ourselves. Before healthcare data becomes completely digital — or even partially digital — the industry has to be prepared for change. Independent security researcher Rod Soto said that healthcare in the U.S. has a long way to go before going all-in on EHRs.

“Although government regulation has helped to move [the industry] in the digital direction, the evolution of technology and standards sometimes goes faster than the speed of the industry’s willingness to keep up,” Soto said. “This situation where many of the acquired technologies quickly become outdated or obsolete does not match the conservative mindset of the healthcare industry, [and] pushes many organizations to just wait or simply not embrace digital transformation.”

The seemingly endless news about successful breaches and destructive attacks against healthcare institutions doesn’t help, either. So is there any sort of shift that needs to happen to turn the tide?

According to Soto, while a shift may occur, it won’t be anytime soon. “The healthcare industry is known for dealing with significant amounts of legacy, outdated, unmanaged and unpatched systems,” he said. “Malicious actors know this and actively target healthcare organizations.”

Threat actors know the value of the information those systems hold. Because they’ve had success with past breaches, they understand these institutions will pay a ransom if pressed and, if not, they can easily sell the information on the dark web.

Why We Should Wait to Go All-In on EHRs

This may be belaboring the obvious, but we need to be more proactive in keeping systems up to date and patching them to reduce the attack surface.

“That includes more manpower and stricter security controls,” Soto said. “I notice that a lot of the attacks on those organizations usually come from outdated, unmanaged systems.”

Soto does not recommend going fully digital without having a hard copy of records or an off-site backup.

“As antiquated as it may sound, in many instances, where either outages, destructive crimeware or ransomware campaigns have been successful, the hard copy and off-site backups have helped the affected organizations,” he added.

It sure seems like we need to take our time before transitioning to electronic health records. Given the current healthcare breach statistics — more than 2 million healthcare records were compromised in February 2019 alone, a 330 percent increase from January, according to HIPAA Journal — sitting back and watching how the transformation plays out in other countries may be the most prudent strategy.

In the meantime, those in the health industry should follow the Department of Health and Human Services’ cybersecurity guidelines for the healthcare sector, where professionals can share healthcare security best practices to mitigate risk and boost cybersecurity programs across the industry.

 |  |  |  |  |  |  |  |  |  |  | 
Mark Stone

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature