By Arshad Noor
Digital transformation has brought about unprecedented opportunities for the healthcare industry, along with unforeseen pitfalls. Healthcare providers subscribe to the notion of
“duty of care,” but what does it mean to use reasonable care when you are dealing with
safeguarding sensitive protected health information?
Data at risk
It’s not a lack of cybersecurity guidelines that has led to ongoing data security and privacy incidents in the healthcare industry. Healthcare has experienced large data breaches despite being regulated in the U.S. by the Centers for Medicare & Medicaid Services and federal law – the Health Insurance Portability & Accountability Act – which mandate the security and privacy of sensitive healthcare data.
Healthcare providers have not only a professional and ethical responsibility to patients but a fiduciary responsibility in protecting patient data as well. Medical professionals have always been obliged to “do no harm” and a responsibility to care for the patient’s health first. With the age of digital transformation in the healthcare field, better patient care backed by streamlined data and operations is available. While these technologies improve patient outcomes and lower costs, they come with compliance and security risks.
A healthcare breach has the potential to not only affect patient care and the trustworthiness of the healthcare organization but can go so far as to endanger the patient’s life if the integrity of data produced by medical equipment or records cannot be trusted. Consequently, it is vital that healthcare professionals understand the value of the data they have access to.
Why data breaches keep happening
One would think that a healthcare provider using encryption to protect their patients’ data in the cloud might satisfy the duty of care principle. However, the cloud service provider that has control over encryption keys can decrypt those encrypted documents at any time.
But that’s not the worst of it. Healthcare providers are still using passwords to authenticate patients and healthcare professionals to web application. This is the oldest and weakest authentication technology on the planet to protect access to information when stronger ones are available – sometimes at little or no cost to the healthcare provider who owns the application.
Cloud provider encryption and passwords are a recipe for potential disaster. This creates
a situation that allows confidential information to be breached by attackers, and neither the healthcare professional nor their patient may be aware that the information has been breached. In many cases, until the news breaks to the public, the healthcare providers do not often know they’ve been breached. In such a situation, one can argue that the healthcare providers have failed in their duty by not employing readily available tools and mechanisms that have significantly higher probability of protecting their patients’ information.
Missing the target
Like many businesses, healthcare providers assume that they just need strong network security tools to prevent breaches. Much as the Department of Transportation cannot prevent accidental traffic deaths by spending more on monitoring systems for its network of highways, spending more money on IT network security is a waste of money. The focus should be on protecting the sensitive data itself.
The reason behind many data breaches is the ill-informed notion that it is easier to protect the network perimeter rather than actually protect sensitive data in the application. As a result, hospitals over-invest in network-based security tools – firewalls, anti-virus, malware detection, intrusion prevention, etc. – rather than invest in the control mechanisms that provide the highest level of data protection.
To ensure the privacy and security of patients’ data, healthcare providers can take these
- Encrypt data at the application level, which is the source where information is captured. This is the surest long-term method for protecting sensitive data because the application layer is the highest layer in the technology stack. This makes it the most logical place to protect data, since it offers the attacker the smallest target. In addition, once data leaves the application layer, it is protected no matter where it goes – and it must return there to be decrypted.
- Do away with passwords and any other kind of shared-secret authentication methods being used to authenticate humans to applications. Adopt the FIDO Alliance’s WebAuthn as the authentication standard and do not delegate the authentication to a third-party Identity Provider. New privacy laws such as the General Data Protection Regulation and California Consumer Privacy Act create new liabilities for healthcare providers if the Business Associate Agreement does not protect the healthcare provider.
- Maintain and uphold the safety, privacy and reliability of data stored inside electronic health records and databases.
An expanded definition of patient care
In the healthcare industry, failing to live up to the duty of care is known as a breach of duty. In the digital age, that breach of duty can result in a breach of sensitive data. Healthcare providers are bound by law and by the trust their patients have placed in them to make every effort to keep their information private and secure. This means they can no longer rely on weak authentication, cloud providers or network security tools to protect their networks. Instead, care providers must improve its data security efforts by encrypting at the application level and adopting stronger authentication. The recommendations above area starting point toward giving patients the highest possible digital care.
About the author:
Arshad Noor is the CTO of StrongKey, a Silicon Valley- and Durham, NC-based company focused on securing data through key management, strong authentication, encryption and digital signatures. He has 32 years of experience in the Information Technology sector, of which, more than 19 were devoted to designing and building key-management infrastructures for dozens of mission-critical environments around the world. He has been published in periodicals and journals, as well as authored XML-based protocols for two Technical Committees at OASIS and represents StrongKey at the FIDO Alliance. He is also a frequent speaker at forums such as RSA, ISACA, OWASP and the ISSE. He can be reached at firstname.lastname@example.org.