In Indonesia, at least a million citizens' medical records were leaked on the darknet. In New Zealand, hackers released records to the media. A ransomware attack debilitated Ireland’s health systems “crippling diagnostic services, disrupting COVID-19 testing and forcing hospitals to cancel many appointments."
Especially in healthcare, such cyberattacks and data hacks can be significantly disruptive for two reasons:
The personal and private information about patients' health can be abused to have dire consequences
The regulatory ramifications of data breaches, governed by acts such as HIPAA, GDPR etc., can be significant
Today, healthcare organizations struggle to adequately protect patient data for many reasons. First of them being the very nature of digital applications. Until recently, the data that used to be on a piece of paper and mostly with the patient, is now stored in multiple databases accessed by multiple apps, hospital portals, health tracking tools, medical providers, etc. Most of them allow the data to be accessed remotely too.
Additionally, patients are yet to understand their own privacy rights. Healthcare staff are also low on security awareness because organizations do not train doctors, nurses and other medical staff on information security. The equipment that hospitals use to collect and store data is also not adequately monitored or protected.
To protect patient privacy, healthcare organizations need to build guardrails across all of these dimensions. Here are our recommendations on how to begin that journey:
When it comes to data breaches, there is no single loophole. There could be vulnerabilities at any stage. So, it is important to set up controls and countermeasures across the board.
Data could be at rest (physically housed on computer systems in digital form) or in use (stored in a non-persistent digital state like RAM/caches) or in transit (data flow over the public internet or a private network). Data at rest should be encrypted with AES 256 or the equivalent. The best way to secure data in use or in motion is by restricting access based on user roles or granting access only on need basis or using obfuscated data instead of raw data and using HTTPS / transport layer security.
Data should not be accessed from users’ personal devices. Accessing data from a user's personal device should be an exception with the device having the appropriate level of controls to ensure data safety. There should also be an approval process defined to access data from the user's personal device.
Devices used to access patients' data should have the right controls including mobile device management, encryption, strong password, logging, limited rights, anti-malware, patched devices etc. IoT devices should be set up on a separate network and not connected to those that store patient’s data.
Whether on-premises or on the cloud, servers should only have the required ports open. Network configuration will need to follow best practices. If the setup is on-prem, it should then be physically secured as well. And, access should follow the principle of least privilege.
Organizations should define a data classification policy, classify patient data carefully and treat it accordingly.
The patient should be the owner of the data and the health care provider should be its custodian. In line with that, access control should be applied at the network level, systems level, database level and web level. Only authorized individuals should be allowed to access the data.
Data should be retained only as per regulatory requirements and securely deleted when no longer necessary
Data should be backed up as per the agreed policy and in line with a business continuity plan
Patients should have the right to request data deletion
Where possible, third parties should not be given access to the patient's data. When needed, the data must be masked or obfuscated before sharing. This should happen after securing the patient’s consent and assessing the third party’s security practices as well.
All the logs should be stored in a centrally managed system with limited access to third parties. Logs should be reviewed and data systems, and third-parties should be regularly audited. At the end of the engagement, the health care provider should re-collect all the data from the third party and ensure they have securely deleted all the data in their possession.
Healthcare organizations should follow defined processes for vulnerability assessment and penetration testing across the network perimeter, applications, databases, systems and all devices. All identified vulnerabilities should be addressed as per defined timelines.
Patient data plays a significant role in healthcare. Access to timely and accurate data can be the difference between life and death. However, inadequate data security is a severe breach of the individual’s right to privacy. Every healthcare organization needs to navigate the thin line between the two.
With a security-first mindset, and adhering to best practices and the foundations of the principle of least privilege, – the healthcare data ecosystem can strategically leverage patient data while upholding the highest standards of security and privacy.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.