Healthcare providers have begun moving their systems to digital, cloud-connected platforms. It is an exercise that benefits both healthcare providers and their patients.
When providers have access to a patient’s health information via Electronic Health Records (EHRs), they can make informed decisions and take the best course of action for the patient. The patient is confident that the healthcare provider has the correct data in an emergency or while going in for surgery.
Digital healthcare platforms ensure the best possible care for patients when they most need it. But more than just delivering the proper care, your platforms must have adequate privacy policies and security systems to ensure patient data remains private as new systems, services, and devices connect, exchange, and store personal information.
Why do attackers target healthcare data?
The monetary value of patient information
Personal information is valuable because criminals can use it for identity theft and impersonation, blackmail, or sale on black markets. Similarly to how AI makes inferences about a patient’s health status, criminals can combine disparate sources of stolen information – such as credit cards, bank records, health information, phone records, and travel history – to build comprehensive models of a person’s life. This kind of information is extremely valuable to the right people.
As healthcare providers collect and store more digital patient data than ever before, cyber criminals target it due to the sheer amount available and the inconsistent and often outdated security models within healthcare organisations.
Indeed, security and convenience do not go hand in hand. Some companies seek to greatly improve the security experience through systems such as biometric authentication, but patient care remains the priority of healthcare organisations. So, swift and straightforward access to patient data is critical, and security steps slow down the process. A practical example of this is where everyone in a small to medium-sized health clinic stays logged into the patient management systems as ‘Admin’, and this system has some form of internet connection.
Internet-connected medical devices are easier to access
Every connected device is now a potential attack vector, and nearly everything is connected. Older connected devices were likely not designed with cyber security in mind as they pre-date the always-connected era. And while these devices probably do not store personally identifiable information, they offer a gateway into the systems where organisations store such data.
Many people also now leverage wearables to record and view health information. Wearables deliver excellent benefits for patients and providers alike, but they also become a gateway through which cyber criminals can enter. Wearable devices, such as smartwatches, are easier to access than traditional medical equipment, making them a prime target for hackers.
Telehealth and remote work
Telehealth and remote work have also increased the potential for data breaches. Many doctors chose telehealth during the pandemic, but so much data moving between devices increases the attack surface. The privacy risks increase further when people leverage cameras.
To make matters worse, home network security is usually less stringent than within the healthcare organisation. So, when doctors conduct telehealth sessions from home and access patient records, the risk of a cyber security breach increases.
For example, a hacker could exploit a vulnerability in a domestic modem, router or another device the doctor leverages in their home network. When criminals have access to this device, they might be able to view the information exchanged between the patient and doctor, take control of the cameras and microphone or log into the patient health records system used by the doctor.
Why are we making healthcare data more accessible?
Making healthcare data more accessible, especially for patients, is worthwhile despite the risks.
Healthcare technology providers improve accessibility to enhance the quality of care. By providing patients with access to their data, providers can help them understand their health and make informed decisions about their treatment. Likewise, doctors can use a holistic view of patient data to better diagnose and treat diseases.
Wearable devices are a key driver in the case of healthcare interoperability because of the benefits provided. Doctors can discharge patients from the hospital and then measure their recovery from afar with on-demand and near real-time updates. A wearable device might catch a health issue early on and tell the wearer they should see a doctor or notify the doctor directly.
How you can better protect patient data
You need to take data privacy seriously by securing your network infrastructure, checking, patching and monitoring your devices, and maintaining security protocols.
You can begin with simple tasks like ensuring password policies are adhered to and any new equipment purchased supports current security standards. You can then consider standard cloud infrastructure that offers rigorous security compliance for cloud hosting. You should also work with specialists who understand digital and physical security threats and offer fit-for-purpose solutions.
Developing and implementing software solutions with privacy in mind
Connected and interoperable systems must comply with the relevant privacy standards in a jurisdiction, such as HIPAA (1996) in the US and GDPR (2018) in the EU.
HIPAA mandates national standards to protect sensitive patient health information from being disclosed without the patient’s knowledge or consent. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement this mandate.
In Australia, we have the Privacy Act 1988. In healthcare, the Privacy Act covers a patient’s health issues and their private information – which is any data that could potentially identify an individual. This data includes, but is not limited to:
- Contact information
- Medical examination results
- Previous or ongoing prescriptions
- Minutes from patient-to-doctor conversations
- Medicare numbers
- Facility admission/discharge data
Healthcare organisations must comply with these standards by meeting certain technical objectives, such as data encryption in transit and data at rest, with approved encryption algorithms and schemes proven via audit and documentation.
Software solution guidelines in Australia
When developing software solutions in healthcare, the first step is to identify what you must protect. For example, if criminals cannot obtain personally identifiable information by intercepting data in transit through a network, it may not be worth taking extra steps to protect that data. However, you may need a solution to protect the network traffic so criminals cannot inject fake data into the stream, which might cause incorrect diagnoses. You need to consider the risks at every step of development and deployment.
The Australian Federal Government’s Digital Transformation Agency recently released its Secure Cloud Strategy update in October 2021. The strategy document outlines seven key Cloud Principles:
- Make risk-based decisions when applying cloud security
- Design services for the cloud
- Use public cloud services by default
- Use as much of the cloud as possible
- Avoid customisation and use cloud services as they come
- Take full advantage of cloud automation practices,
- Monitor the health and usage of cloud healthcare services in real-time
The Australian Cyber Security Centre guidelines are also good resources, especially for software development of internet-facing services and databases.
The Consent Resource in FHIR
The Fast Healthcare Interoperability Resources (FHIR) standard has the Consent resource to manage consent given by patients to share their data. The Consent resource is a defined mechanism for capturing the permission given, date, time, metadata, information transferred, etc.
Ideally, any new software implementation built on the FHIR standards should implement the Consent resource when dealing with patient information. Realistically, however, unless the government requires this level of privacy protection, implementing it becomes another expensive and complicated exercise relegated to an afterthought.
Healthcare providers need to be vigilant to protect patient data. The most important part is to consider privacy a first-class objective of the project and then identify the necessary security measures to protect patient information.
Fluffy Spider supports patient privacy and interoperability
We develop integrated health solutions and standards-based integrated software systems for connected, interoperable digital healthcare. Our solutions manage the electronic health information journey from devices to the cloud and medical record systems.
We implement solutions in the cloud and the clinic to make health data secure and available when and where you need it. Our experienced team can bring together your devices, telehealth systems, EHRs and other patient management software to ensure each platform works together and delivers frictionless health.
High-quality commercial software requires a dedicated team with relevant experience. We can work with you through the entire process, from concept to commercialisation. Visit our Healthcare Integration Solutions page to learn more about our capabilities and solutions.