[BreachExchange] Why Innovative Health IT Designs Must Consider Security First
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Mar 27 18:59:24 EDT 2018
https://www.healthitoutcomes.com/doc/why-innovative-health-
it-designs-must-consider-security-first-0001
Thanks to advancements in patient-provider communications and mobile
capabilities, today’s digitally inclined patients are already using
technology to transform their medical care experience — and the expectation
around ease-of-interaction will only continue to rise from here.
As proof of telehealth’s growing impact, the 2017 Consumer Telehealth Index
Survey reported that 50 million U.S. consumers would switch medical
providers based on whether their doctor offered telehealth or not. Compared
to just 17 million in 2015, this staggering jump illustrates the powerful
role health IT already has on the direction of the industry.
While recent innovations provide a strong promise of improving the
healthcare system, telehealth’s amazing potential does not come without
risk. Perhaps the most significant of which is the security of patient
information.
While telehealth solutions have many obvious advantages, such as expanding
access to quality care, private data has the potential for exposure any
time it’s circulated electronically — which, for telehealth, is always. For
instance, consider the following scenario:
John is being treated for a life-threatening illness. He communicates with
his doctor about the status of his condition via email every week since his
provider is remote. During the course of these interactions, John’s
unsecured email is hacked and his identity is stolen based on the sensitive
information contained in those notes between him and his doctor. Although
John can receive quality care from a specialist located thousands of miles
away in ways that didn’t exist two decades ago, his protected health
information (PHI) and his identity are also put at risk in previously
unimaginable ways.
Scenarios like John’s are (unfortunately) all too common today and
illustrate a stark need for the highest level of security in groundbreaking
healthcare innovation.
In order to ensure that these digital solutions maintain proper levels of
security for sensitive patient data, they must be designed with security in
mind first — not added on as a final precaution.
Shed The Illusion That Protection Occurs At The Border
Most legacy IT systems were built on the concept that security is provided
at the borders — either at the firewall level or by monitoring access to
computers. However, as health IT designs continue to support large
quantities of data in the cloud, it’s no longer enough to rely on
protective measures that occur after the initial design phase. Although
many improvements have been made to legacy IT systems (namely, the creation
of virtual private networks), the risk of an attack has become too great to
rely solely on the border protection of data.
Highlighting the severity of this risk, the HIPAA Journal found in its
report on the Largest Healthcare Data Breaches of 2017 that more than 14.6
million individuals were impacted last year alone. As a result, telehealth
solutions today must have security at their very core, from inception to
the building process. Healthcare IT departments can no longer assume that
security efforts occurring post-design of the solution can guarantee the
safety of patient data.
By designing applications that are built with security inherently at the
core, authentication of all end points and encryption of all content or
media is handled at the application layer — both in transit and at rest.
Access to data is controlled with detailed audit trails for any type of
access, whether it be user, customer, vendor or even IT administrator. In
today’s security ecosystem, telehealth solutions require controlled access
at the physical, network and applications layers to ensure the complete
protection of sensitive patient data.
Protection From The Inside Out
Organizations now have an increasing need to protect themselves not only
from hackers outside of the organization, but also themselves internally —
as “insiders” can pose as much of a security threat as “outsiders.” A 2017
HIMSS Analytics study, for example, reported that 78 percent of respondents
identified employee security awareness/culture as the biggest concern in
terms of security threat exposure.
Insiders (i.e., employees, vendors and others who may have access to
sensitive data) have a level of access that needs to be controlled and
monitored. Without protection guarding those on the inside with access to
protected health information (PHI), organizations can find themselves just
as exposed to a security breach as they would without protecting data from
outsiders.
For example, many organizations today have Bring Your Own Device (BYOD)
policies for employees. While these policies provide a flexible workplace,
they also introduce a new level of risk to an organization. Security must
be considered in these scenarios to prevent employee error or negligence
contributing to a security breach. Proper and consistent education and
training for employees on security matters is key to minimizing this risk.
While the current digital transformation has produced wonderful innovations
in the health IT space, the need for security to be at the heart of the
design of these solutions is crucial. By shedding the assumption that
protection of data will happen at the borders of a business, and taking
measures to protect it from the inside out, IT departments of healthcare
organizations can better safeguard patient populations against a security
breach.
Health IT needs to continue to innovate beyond current boundaries for the
sake of its patients, but innovation must always be built with the
patients’ cybersecurity in mind first — otherwise the technology will
ultimately do more harm than good.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180327/142a93c9/attachment.html>
More information about the BreachExchange
mailing list