Digital Advancements vs Digital Trust
The quest for innovation in almost every industry is met with a new series of threats to combat in parallel. For the medical industry, the perfect world could mean seamless efficiency for patients, physicians and their supply chain, reduced human error, improved treatment, lower costs and optimised systems. There is no doubt about the positive impact of technology in the healthcare industry, but sadly, the progression towards digital is lagging behind, which could largely be due to the lack of trust in digital systems paired with highly sensitive information – sometimes even life-threatening – that has the potential to be exposed.
Particularly now, as we diligently practice social distancing in order to combat the spread of COVID-19, there has been a significant rise in telehealth, also known as teleconsultation, where patients seek medical services digitally. Connectivity through teleconsultation has brought tremendous value in effciency to the healthcare industry. With an accelerated development in the teleconsultation space, there has been a sharp spike in Protected Health Information (PHI) and Personally Identifiable Information (PII) being shared over the Cloud as Electronic Health Records (EHR) with healthcare providers. However, with progression in the digital healthcare space, come new opportunities for cybercriminals. To put things into perspective, this has widened the scope of cyber security challenges as there is a heightened risk where fraudsters with malicious intent can infiltrate the healthcare environment to counter an attack and amplify any vulnerabilities within its digital ecosystem.
For many, adjusting to the new operating environment presented by COVID-19 has also led companies to rush innovation timelines and adopt new technologies, creating the risk of new suppliers and partners having access to sensitive patient data.
The Need for Efficiency in the Healthcare Sector
The healthcare industry has always been very cost-sensitive, yet as we progress towards universal coverage in the digital healthcare space, it only makes sense to adopt efficient security solutions. Efficiency is quantified in terms of assessing existing security capabilities within a fixed budget. Unfortunately, despite the increase in these attacks, especially since the pandemic began, the healthcare sector has been caught off guard and was not well prepared for it. According to a survey conducted by security software firm Irdeto, 88% of US-based MedTech leaders do not believe their organisation is prepared for a cyber attack. In the event of a cyber attack, confidential PHI and PII data will be compromised, violating compliance requirements such as the Health Information Portability & Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) and more than likely this will lead to significant fines.
These compliance requirements have certainly steered CISOs and Privacy Officers focus towards protecting PHI & PII data – and since medical data is extremely sensitive, the stakes are incredibly high. However, acts like HIPAA often work on an abstract level and do not always ensure that healthcare organisations have an elaborate security architecture that stores sensitive patient data in a secured manner. Another factor contributing to the slower-paced digital development in this sector is the fact that specialists in both security and digitalisation are still very much understaffed, and not the primary focus of the healthcare industry in comparison to other industries.
How does this picture compare to a nation that embraces digital?
If we look at Israel, we can clearly see an ecosystem that embraces digital health innovation, with institutions, hospitals and health maintenance organisations being interested in trying new things and challenging the antiquated approach. A clear success story of healthcare industry innovation has become visible during the pandemic, Israel vaccinated approximately half of its entire population against COVID-19 in only two months.
Israel was able to achieve this thanks to the nation’s four Health Maintenance Organisations (HMOs), which service its entire population and have the ability to successfully launch complex, large-scale processes within a short timeframe, evidence of this is Israel's vaccination program, cataloged by experts as the best in the world.
Cybersecurity & Technological Challenges with Digital Healthcare Services
Around 60% of healthcare providers have made digital services a top priority in order to cater to a large portion of their customer base; which is used to digital efficiency, sharing information online and wearing devices that track their medical data as well as store their information. It's important to mention that the risk of cyber attacks can range in severity of impact. Furthermore, data loss of PII and PHI which can result in a burn in the pocket to healthcare organisations.
Medical records contain sensitive PHI that cannot be easily changed or deleted. In fact, PHI is extremely valuable information that can be sold for as much as $363 on the black market. PHI that is valuable to cyber criminals include:
Social Security Number
It is not hard to see why there is a lack of trust from patients as well as healthcare providers. Cyber attacks on healthcare organisations around the world are on the rise and its impacts may be severe. For us to continue on our quest for efficiency and innovation, we need to take appropriate measures to secure the data from patients, doctors and caregivers by outsmarting those with ill intentions. Not an easy task, but the benefits are certain to be worth it.
But not all risks are cyber related. Seven years ago, the website healthcare.gov promised to provide health insurance exchanges operated under the Affordable Care Act. However, it's anticipated launch was marred by serious technological problems, making it difficult for the public to sign up for health insurance and crashing the site after just 2 hours. This all taking place on a website that incurred an overall cost of $500 million, prior to launch. Looking at the failure of the initiative, it's clear that the challenges are not always limited to cyber threats, but can also boil down to sheer technology infrastructure. Technology has come far in 7 years, but failures like this only increase distrust in digital healthcare systems. It will be interesting to see the trends in a post-pandemic world, will organisations go back to not caring and underinvesting? What will be prioritised?
Regulations that aim to deal with the threat: HIPAA and NIST
Complying with regulations that protect PHI requires a combination of robust privacy and security strategies. The Health Insurance Portability and Accountability Act (HIPAA) sets the baseline for patient data protection. HIPAA applies to digital health companies — whether they contract as a vendor (a business associate) or a healthcare provider (a covered entity). Third-parties, especially those that handle PHI, have the potential of exposing health companies to data breaches and non-compliance. Outside of HIPAA, the National Institute of Standards and Technology (NIST) published a helpful guide titled: Framework for Improving Critical Infrastructure Cybersecurity.
NIST’s framework focuses on using business drivers to guide cybersecurity activities, and considering cybersecurity risks as part of the organisation’s risk management process. The framework consists of three parts: Framework Core, Framework Profile, and Framework Implementation Tiers.
NIST’s Framework is a set of cybersecurity guidelines that are common to most organisations with a critical infrastructure. Ultimately, the Framework Implementation Tiers help the organisation view and understand how it aligns its cybersecurity activities with its needs, tolerances, and resources.
Both HIPAA’s Security Rule and NIST’s Framework can greatly reduce a healthcare organisation or provider's cybersecurity risks. The more budget and resources are diverted to IT security personnel, the better the organisation is likely to fare when cyber threats inevitably come along.
Approaches for the Healthcare Ecosytem
Finding the balance between innovation and protection is incredibly important. To achieve this there are tools and security practices that we can implement to forge a safer digital healthcare ecosystem. After all, there are great benefits when done right. Some key practices that healthcare organisations should adopt to enhance digital trust are:
Cloud Security Compliance Assurance Program
3rd Party Risk Assessment & Compliance Program
Secure by Design
24/7 Managed Detection & Response Services
Detection, Monitoring and Responding through Technology
Regular Cyber Resilience Assessments
COVID might be the catalyst that changes not only mindsets, but investment decisions for the healthcare industry. We are at an inflection point, where digital processes and efficiency gains can no longer be ignored. Looking ahead, new big data technology might be able to bridge the gap between privacy and better data insights through anonymisation and pseudonymisation layers. Innovation is pushing us forward, success depends on how we respond.
Interested in learning more about Alyne's solution for compliance with HIPAA and NIST? Why not schedule a meeting with an Alyne expert here.