Today, the healthcare industry faces several risks of data breaches and other data security and privacy challenges. Automation in healthcare systems, digitization of patient & clinical data, and increased information transparency are translating directly into higher chances for data compromise.
In a recent webinar hosted by GS Lab | GAVS with industry leaders in the cybersecurity space, we focused on the formidable challenges in healthcare data protection and why suitable investments in security technologies, solutions, and processes can make all the difference. The webinar also touched upon the increasing sophistication of cyber threats, the need for standard policies and practices, the role of information governance, the rapidly changing threat landscape outpacing technology investments, and steps to take for future-proof cyber resilience.
This blog captures some of the key discussion points and takeaways from the webinar on ‘Emerging Risks for Data Protection in Healthcare.‘ The link to the entire webinar is available at the end of the blog.
The webinar was moderated by Shivakumar D, who leads the Data Privacy function at GS Lab | GAVS. Mr. Robinson Roe and Ms. Kavitha Srinivasulu joined him to discuss the topic in detail.
Robinson Roe is the Managing Director of Asia Pacific Japan region at OneTrust. He leads the delivery of technology solutions to support privacy, security, and trust management operations.
Kavitha Srinivasulu heads Cybersecurity and Data Privacy Services at GS Lab | GAVS, and has rich experience in areas like cybersecurity and risk management, data privacy, information protection, regulatory compliance, etc.
Healthcare Digitalization
With the digitalization of healthcare practices, a lot of personal information is electronically shared between patients and medical practitioners. The surge in popularity of IoMT devices (Internet of Medical Things) such as pacemakers and other types of personal medical equipment, is largely because of their easy connectivity to the internet, accessibility of their data, and the suitability of this data for enhanced patient care. While the collection of huge amounts of data is generally well-intentioned, healthcare organizations should ask themselves why they are collecting the data. There needs to be answers to other related questions like what they are going to do with the data, how long they plan to keep it, if they plan to use it for purposes other than what it was originally collected for, etc.
Healthcare organizations must first focus on data privacy and security measures to be taken for safe handling of data. It needs to be understood that when organizations collect information, that data cannot remain indefinitely in their systems. Additionally, allowing open access to such data without a purpose creates data vulnerability. The lack of awareness about the lifecycle of data and unwarranted data access to personnel weakens the security measures and policies that are put in place.
So, it is essential to have the right security and governance controls to track healthcare data collection and its lifecycle within the organization, with well-established processes for the use of the data and its storage. For uses beyond the original purpose, there needs to be mechanisms to get and track patient consent. Ensuring that the security systems are protected by the right set of tools and not by manual means, is also imperative for data protection.
Challenges in Data Privacy
Too much of anything is not always a good thing! Huge volumes of healthcare data are great for improving patient care. But these volumes increase the complexities in careful handling, management, retention, and disposal of the data.
PII or Personally Identifiable Information in the healthcare industry is unique in nature, like a fingerprint. To get the best possible healthcare outcomes, many such personal details of patients are stored and maintained by the healthcare industry. Since the move into the era of electronic data sharing, data transfers have been happening faster than what the industry is ready for. The problem is when the data starts getting used beyond its original purpose.
Despite the prevalence of privacy acts such as GDPR, CCPA, PIPEDA for years, healthcare organizations still fall short in the areas of data privacy and security. As a result, hackers continue to target healthcare organizations to get their hands on PII and PHI. Security experts reportedly state that the price tag for one PHI record on the dark web is around USD 250! With too many stringent regulations that are constantly evolving, healthcare organizations are finding it very hard to keep up. Experts suggest that the best place to start is the establishment of best practices within the organization. If all the right steps are taken to protect patient data and to earn their trust, then most of the needs of regulatory compliance is automatically taken care of.
To take a step towards creating a more resilient data protection system within the organization, the following challenges must be addressed methodically:
- Lack of visibility into the data maintained across different facilities
- Disparate tools and solutions for cyber protection
- Failure to continually identify current threats within the system
- Usage of old legacy systems which create data vulnerability
- Open-source exchange of critical and sensitive patient data
Recommended Data Security Measures
Understanding what data is collected, how it is used, and where it is stored should be the first step towards data protection. This can be accomplished through data discovery, automated or semi-automated privacy impact assessments, and storing the data that has been discovered as structured data. Unstructured data is difficult to trace and handle and is where data breaches or security issues arise. Creating usability and importance structures for data makes implementing data security measures easier. Here are some of the recommended data security measures for different classifications of data:
- Focus on best practices first before regulatory compliance
- Plan for data minimization and define the purpose of each collected data
- Conduct employee awareness training sessions routinely
- Conduct phishing campaigns regularly
- Move away from manual modes of security and implement the right software solutions
- Implement data privacy by design to ensure right levels of security controls
- Enable digital identity through MFA (dual or Multi-Factor Authentication) and PAM (Privileged Access Management) to ensure that data is always protected from any unauthorized access
- Periodically assess risks, including environmental threats and challenges
- Continuously monitor and update privacy policies and procedures
- Appoint a Data Protection Officer (DPO) to establish proper governance structures
This blog offers only a high-level gist of the webinar. You can watch the entire discussion that includes the poll questions and the experts’ take on audience questions here.
GS Lab | GAVS periodically organizes insightful webinars with our tech leaders, the leadership team, and industry thought leaders to explore current and emerging trends. To watch any of our webinar recordings, please visit https://www.gavstech.com/videos/.