Security requirements in healthcare industry are very different and unique as compared to other industries. Both the collection of information and access of information are from multiple end points. Data on a patient is accumulated through multiple routes like hospital records, lab records, insurance portals, fitness bands and fitness devices, health portals etc while the access of the same by medical professionals is also from multiple devices like laptops, tablets, cell phones, mobile hospital terminals, web browsers etc.
A patient data record is a virtual goldmine for hackers giving them an almost complete profile of the individual across basic information, health patterns, financial information, family information among other things. Recent studies show that the value of a stolen health record can be as high as 50x the value of a credit card record.
The means of application and data access in healthcare segment occurs from multiple end points which becomes the weak points of the chain and have the potential to open up a breach in the infrastructure. This is not just from the employees of the healthcare organisation but also from third party and business partners who have access to the application. Add to this the aspect of physicians and doctors accessing the application from unsecure open networks on their mobile devices and you have breaches opening up at unspecified locations for the hackers to exploit.
A US study has shown that almost 58% of the data breaches in a healthcare organisation occur from third party / business partners who have access into the application. Forrestor Research mentioned in their study that more than 41% of the healthcare organisations do not have endpoint security installed even though approx. one-third of the employees work remotely at least once a week.
As applications move to the cloud and are accessed by multiple hospitals and physicians, the end point becomes a susceptible area for data theft and data loss with the need to secure the access not just from internal employees and external consultants but also from the end points access from third party business partner resources.
Are there compliances in place?
The US and European markets seem to have woken up to the need of data security in healthcare industry with the implementation of multiple compliance checkpoints like Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for
Economic and Clinical Health Act (HITECH), and the Affordable Care Act (ACA) among others citing the need to protect personal health information (PHI). These compliance measures are currently reactive in nature penalising the healthcare organisation for data breaches. The need of the hour is to have a proactive look at data security in healthcare sector as well.
While a few large healthcare organisations in India probably govern their IT infrastructure in line with the US compliance acts; a majority of the healthcare service providers in India do not have secure measures installed to prevent data breach. In a country like India, this applies even more to the small healthcare providers existing in the lanes and by-lanes of the country who capture information and treat patients on a regular basis. A US healthcare study shows that almost 25% of data breaches happen from organisations with 1-100 employee size. I am sure the statistic will significantly vary for India.
Healthcare industry should be held to a very high standard of data security given the importance of information they have about individuals. However, it is also a daunting challenge given the plethora of entry and access points and very difficult for individual organisations to implement.
What precautions should a healthcare provider take from a security perspective?
Endpoint security and secure access from these devices are one way to prevent opening up that breach for hackers to exploit. It is critical that the healthcare provider’s IT infrastructure incorporates these two aspects into their blueprint. Profile driven secure access of corporate applications and data must be implemented by the healthcare industry. Secure Access must be independent of the device and the network being accessed from and dependent on the profile of the person accessing the data.
Some of the steps that can be taken are:
- Have a robust security policy implemented in the IT foundation of the organisation.
- Have a CISO as part of the IT team, and not just a security IT executive.
- Train employees about importance of data security in the workplace.
- Ensure compliance contracts are implemented with third party business partners as well.
- Have a clear mobile security policy. Almost 90% of Android healthcare apps have been hacked.
- Have a regular consistent security audit in place to identify weak points in the infrastructure.
- Make data security a proactive thought rather than a reactive measure.
What can we do to help?
Instasafe’s Security-as-a-Service offering – Instasafe Secure Access – is a simple and easy way to implement end point access security for all stakeholders, whether they are internal employees, external consultants or third party business partner resources not connected to the network. By implementing a small thin-footprint ISA client on the end point, healthcare organisation’s can get an effective secure access implemented at low cost without the need for capex investment in expensive hardware and skilled resources to manage the infrastructure.
Reach out to us for your security challenges and a simple, easy, cost effective solution!