Keeping Health Data Secure In an Era of Cyber Security Breaches
Digital health has significantly impacted medicine owing to the new methods for treating common ailments. Despite the major benefits of digital therapeutics, there has been a steady increase in health data breaches. Medtech and biopharma hold sensitive information such as patient outcomes and company reputations, which pose a high potential risk. The Health Insurance Portability and Accountability Act Rules require companies holding sensitive medical data to perform a risk assessment and put in place programs for combating security loopholes. Here is a look at the cyber security challenges and some of the measures that can be taken to keep health data secure.
Challenges In Protecting Patient Data
It is projected that up to 50 billion medical gadgets will send data to patients and healthcare providers in the coming years. The volume of data flow has risen from hundreds to thousands of patients. Real-time data has also been transmitted through wearables like blood pressure devices. The variety of data being captured as well as the transition of health care from controlled settings into homes with remote patient monitoring, has increased the risk of data breaches.
On average, a health data breach is more costly than a cyber security breach in any industry. In the years 2017-2018, the number of patients subjected to data breaches in the U.S. tripled to 15 million records. This figure increased in 2019 to up to 25 million breached records. It has now become more difficult to keep health information safe with the popularity of connected health devices in public spaces, workplaces, and homes. For example, Zoll recently exposed the personal health information of over 270,000 patients due to an error with their server. It is important for Medtech companies to develop internal processes that deal with potential leaks.
Digital medical devices have also been associated with an increase in data breaches. A recent survey of healthcare provider companies established that a significant number of these organizations had medical devices that had ransomware or malware in the last 18 months. Most of the respondents blamed the manufacturer of these devices for security issues. The FDA has issued warnings about cybersecurity loopholes in medical devices that give access to unauthorized users since 2015. In March 2019, the FDA focused on a vulnerability found in defibrillators that enabled a cyber-criminal to control the devices remotely. This shows how vulnerabilities in digital devices are posing a great challenge to the efforts of curbing data breaches.
Recommendations For Preventing Health Data Breaches
Since digital technology has been implemented in modern health care systems, it is crucial for the relevant authorities to develop processes and tools for protecting sensitive data. Some of the recommendations for tightening health data security include:
- HIPPA violation occurs if you fail to have a risk assessment plan. This violation subjects health care providers to high fines. The enforcement of HIPPA is overseen by the U.S. Department of Health and Human Services. HIPPA Privacy rules are aimed at protecting patient health information, such as electronic information from breaches. Ensuring organizations are HIPPA compliant is one of the best ways of protecting healthcare data.
- Developing internal procedures to avoid vulnerabilities that cause data breaches. There is also a need for staff training on methods of protecting health data and recognizing security loopholes in medical devices.
- Ensuring security systems, staff members, and products adhere to industry standards. The HITRUST Common Security Framework has made it easy for organizations to comply with regulations by uniting all international regulations into simpler security controls. HITRUST is gaining popularity as the standard certification for organizations charged with patient health information.
- Recruiting a technical staff that is committed to security threats and follows the current privacy laws to prevent patient harm, penalties, and negative publicity arising from a data breach. Additionally, there should be continuous training on current security measures and oversight by professionals in privacy and security.
- Separating Patient Identifiable Information (PII) from de-identified patient information (PHI) in separate cloud environments. This prevents multi-tenancy between cloud environments.
The health care industry has made significant strides in diagnosing and treating various health conditions due to technological advancements in the medical field. With the popularity of digital devices for sending information between patients and health care providers, the risk of data breaches has increased significantly. While hackers may be blamed for a high number of these security crimes, internal systems in health care entities have also contributed to these vulnerabilities. Malware and ransomware in medical devices have also associated with a high number of unauthorized accesses to patient identifiable information. Most of the recommendations for preventing data breaches include HIPPA compliance, continued training of security staff, and organized storage of information in cloud servers. It is important that Medtech and biopharma companies perform thorough risk assessment protocols to identify security loopholes and for the improved protection of patient information.
Author: Jordan MacAvoyJordan MacAvoy , is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.
Photo by Brett Sayles from Pexels