Two truths and a lie about health data security

Healthcare is incredibly personal, so there is both an ethical and legal obligation to keep consumer health information safe and secure.

Many Americans have heard of, or read of, health records being stolen or compromised. Only 20 percent of Americans completely trust organizations to maintain the privacy of their data, and more than two-thirds believe that existing laws do not provide adequate protection online.

Furthermore, the financial implications of a data breach in healthcare are significant. In 2018, the average total cost for a breached U.S. healthcare organization was $3.86 million, up 6.4 percent from 2017, according to a study from Ponemon. According to a study by IBM and the Ponemon Institute, healthcare organizations have the highest costs associated with data breaches - more than three times other industries at $408 per stolen record.

With the now unfortunate reality that healthcare data breaches and ransomware attacks are on the rise, “viral infection” has a new definition in healthcare. An organization’s ability to protect consumers from being hacked is becoming as important as protecting them from an illness. So, what should organizations keep in mind when setting out to protect data? I outlined two truths and a lie about health data security.

TRUTH #1: You Will Be Hacked

In the digital world we live in, it’s no longer a matter of if you will be hacked, but when and how quickly you can detect that attack and shield your data from it. Hackers are only becoming savvier and more malicious, so a healthcare organization believing that it will not experience a breach of its security and privacy protections because of its existing protection software is a dangerous case of denial. However, I’ve observed that the healthcare industry has continued to erroneously focus on a security model that primarily emphasizes prevention rather than detection. That has put the industry in a position of weakness as it relates to the implementation of detective controls.

Healthcare organizations must create a balance between prevention and detection, and proactively build firewalls of protection as well as implement detective controls and response mechanisms. The key is knowing when the breach has occurred, obtaining that knowledge in real-time and then having pre-defined plans for responding to, and containing or terminating the incident. The speed at which a breach is identified and contained is directly related to costs. The aforementioned IBM and Ponenom report found that the average time from breach to discovery was 197 days, followed by an additional 69 days to contain the breach. That is nearly three-quarters of a year to realize data has been compromised, and to respond to and contain it. By failing to identify a data breach quickly, a company could increase costs by 30 percent. This is why monitoring (detection) and response are critical.

TRUTH #2: Being HIPAA Compliant is Not Enough

The HIPAA and HITECH Acts establish only minimum requirements for compliance with the Security and Privacy Rules, with the intent of these regulations being to define a common baseline across the healthcare industry. These regulations do not set forth best operational practices for assuring the protection of consumer data—nor do the regulations impart a step-by-step security and privacy framework. Instead, this framework establishes best practices for the dizzying array of computers and devices that consumers use today to interact with their health plans, doctors, hospitals and pharmacies.

Like most things that are important to us, we do not usually choose a product, service or provider based on if they meet minimum requirements. We generally want the most experienced pilot flying our plane, the most experienced physician providing our care, the most experienced teacher, mechanic and so on. To put it another way, would you trust your money at a bank that has basic security equipment? The same logic applies to the protection of personal healthcare data.

While complying with HIPAA is required by federal law, we should – and must – do more to protect the personal healthcare information entrusted to our organizations. In the healthcare industry, we are fortunate that the best practices in information protection have been combined into a single standard, promulgated by the HITRUST Alliance. This robust standard holds HITRUST Certified entities to over 500 individual controls, a maturity rating for their compliance with each and is the gold seal for protection of healthcare information. It’s not enough to be minimally compliant. To earn and maintain consumer trust, we must – as an industry – aim higher.

LIE: Healthcare Data Should be Deleted

As a society, we recently learned about the impact of our personal data being publicly available (think Cambridge Analytica). But simply eliminating personal information from view– especially healthcare information – could come at too great a cost. It would impede the ability of care providers and health organizations to have a holistic view of a consumer’s health history, status and lifestyle. This type of intel not only informs treatment and recommendations but also identifies risks and prevention opportunities. Who benefits from withholding information from providers when they are making key decisions about our care? This is applicable not only to episodic care but to the customized programming of health and wellbeing designed to help consumers achieve their optimal health.

The European Union’s General Data Protection Requirements (GDPR) recently introduced data anonymity and pseudonymization this past May. Anonymization in this sense means the removal of all identifying data that could be used to ever associate a discrete individual to that data. This differs from pseudonymization, in which the information necessary to associate the transaction to an individual is segregated from the transaction data and held separately – allowing the organization to attribute it to a person if they are authorized to do so.

These concepts of GDPR manifest themselves into a right to “be forgotten.” This right allows anyone whose data is subject to GDPR, to require the data steward to fully erase or forget about the individual. However, in the realm of healthcare, this “forgotten” data could prove critical to the effective delivery of health goods and services. While consumers may want personal healthcare information held in an anonymized form, for the sake of its protection, they also need to understand and weigh the value of it being associated to them when and where it is relevant.

Bad actors appear in more than B-rated movies. Organizations must be alert and prepared to identify and contain data breaches. Ensuring the protection of healthcare information is the responsibility of the entire organization, not just an individual or team. We can all be good stewards of personal healthcare information by understanding the risks, following protocols and upholding the highest standards of data security and protection.

David MacLeod is the Senior Vice President, Chief Information Officer and Enterprise CISO at Welltok, an enterprise Software as a Service company for consumer health.

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Featured Webinars

Featured Whitepapers