In order to keep pace with growing demand, the healthcare industry has come under pressure to provide faster, better, and more accessible care by adopting new technologies while complying with industry mandates like the Health Insurance Portability and Accountability (HIPAA) Act enacted in 1996 during Bill Clinton-era
The problem of medical data loss is a far-reaching problem that impacts not only organizations that are victims of these breaches, but also doctor-patient relationships. Protected health information (PHI) is personally identifiable health information collected from an individual, and covered under one of the state, federal or international data breach disclosure laws.
The problem of stolen medical information is more pervasive than previously thought, as per Verizon’s 2015 Protected Health Information Data Breach Report. According to the study, many organizations outside the health sector don’t even know they hold this type of data, which includes PHI such as employee records (including workers’ compensation claims) and information for wellness programs. Other sectors where PHI breaches include the public, financial, retail, and educational sectors.
It has also been found that people are refusing to divulge information — sometimes critical information — from their healthcare providers as they are afraid that their confidentiality will be breached. This can have far-reaching implications, not only in the treatment of a particular patient, but the entire public health sector as well.
Why Protection?
The astonishing number of data breaches and attacks on healthcare data has forced organizations to look for higher and stronger methods of data security at various levels, both at physical as well as application level.
According to a recent study by Symantec Corporation, approximately 39 percent of breaches in 2015 occurred in the health services sector. It also found that ransomware and tax fraud rose as increasingly sophisticated attack tactics were being used by organized criminals with extensive resources. These criminals utilize professional businesses and adopt best business practices to exploit the loopholes in the security of ePHI. They first recognize the vulnerabilities and then exploit the weakness of unsecured system. The stolen health records are then sold in black market for ten times more value than that of stolen credit card.
Kevin Haley, director, Symantec Security Response, said: “Advanced criminal attack groups now echo the skillsets of nation-state attackers. They have extensive resources and a highly skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off.”
SaaS applications
If healthcare payers and providers are using Software-as-a-Service (SaaS) solutions to provide better service to their patients and customers, data security becomes as critical as their business. This points to the need for the healthcare industry to shift to cloud-based solutions to maintain electronic Protected Health Information (ePHI). Considering the sensitivity of information, it has become more important now than ever before.
In order to keep pace with growing demand, the healthcare industry has come under pressure to provide faster, better, and more accessible care by adopting new technologies while complying with industry mandates like the Health Insurance Portability and Accountability (HIPAA) Act enacted in 1996 during Bill Clinton-era.
Cloud as a solution
Public cloud services are cost-efficient because the infrastructure often involves shared multitenant environments, whereby consumers share components and resources with other consumers often unknown to them. However, this model has many associated risks. It gives one consumer a chance to access the data of another and there is even a possibility that data could be co-mingled.
Cloud services allow data to be stored in many locations as part of Business Continuity Plan (BCP). It can be beneficial in case of an emergency such as a power outage, fire, system failure or natural disaster. If data is made redundant or backed up in several locations, it can provide reassurance that critical business operations will not be interrupted.
However, consumers that do not know where their data resides and lose control of ePHI at another level. Knowing where their data is located is essential for knowing which laws, rules and regulations must be complied with.
Bring Your Own Device (BYOD) policies also put data at risk if devices are lost or stolen. Logging on to insecure internet connections can also put business and patient information at risk. Storing sensitive data on unsecured local devices like laptops, tablets or hard drives can also expose unencrypted information at the source.
So it is obvious from such startling statistics that large number of data breaches and cyber-attacks can occur only if the applications and storage of data are not secure. Also, all the employees involved should be given unique username and password and must be trained on how to keep login credentials secure apart from training sessions on Privacy and Security Rules.
Transferring data to the cloud comes with various issues that complicate HIPAA compliance for covered entities, Business Associates (BAs), and cloud providers such as control, access, availability, shared multitenant environments, incident readiness and response, and data protection. Although storage of ePHI in the cloud has many benefits, consumers and cloud providers must be aware of how each of these issues affects HIPAA and HITECH compliance.
The need of the hour is that all the involved parties must come together and take the responsibility of data security from their end till next level. It is better to invest in securing SaaS applications and medical data instead of paying huge fines which could be in millions of dollars.
Authored by Suresh Venkatachari, Chairman & CEO,8K Miles Software Services