Where a lack of data access might mean inconvenience or disruption for a business, in the healthcare sector the result could be poor medical treatment to a potential loss of human life.
What follows is an overview of the Health Sector, Data Access, Integrity and Confidentiality requirements.
For healthcare providers errors or unauthorised changes to medical records can compromise patient treatment and care, resulting either in civil or criminal claims. Healthcare records could be deliberately used to cover up unauthorised treatment. This occurred back in 2000 in the UK when a general practitioner, Howard Shipman, attempted to cover his murders of multiple patients by altering their medical records.
Data integrity can also be compromised through the accidental altering of records. This could happen if medical treatments were wrongfully recorded in a file or changes in medication doses incorrectly noted. If records are altered, it can lead to incorrect treatment which could harm or even kill the patient.
Even though it ranks as third on the priority list, data confidentiality is certainly vital for healthcare providers as medical records can contain an individual’s most private of information. In fact, so valuable are medical records, they sell for more than credit card details on the dark web.
Misuse of patient records can have significant ramifications in terms of identity threat and even more nefarious efforts, such as extortion. Healthcare providers also hold financial and administrative data and misuse of this information could come in the form of fraudulent transactions and unauthorised payments and keeping it secure must also be a priority.
Given the sensitivity of health information, organisations are required to adhere to the strict provisions of the Privacy Act, with obligations relating to consent and use. The Mandatory Data Breach Notification, came into effect on 22 February 2018 and adds additional responsibilities onto providers and places them at risk of reputational damage and fines if they do not take reasonable steps to make sure personal information is held securely.
The Security Challenge
Despite the need for data availability, integrity and confidentiality in the healthcare space, many providers are hesitant to undertake typical security activities, such as vulnerability scanning and patching, because they don’t want any downtime in their systems.
If a decision was taken to upgrade the operating system, comprehensive testing would then be required to ensure it continued to operate in its intended way, which could also result in disruption to treatment schedules something providers are constantly trying to avoid.
This means there tends to be large numbers of outdated systems still in use. There can also be a reliance on end-of-life or outdated software, with many medical devices still running on Windows XP. Such devices may have a working lifespan of 15 to 20 years, which can be much longer than the support provided by software companies, resulting in security vulnerabilities.
The security challenge is made more complex by the fact that there are so many different types of medical devices in use. Securing a fleet of identical PCs is one thing, but securing a range of different medical scanners, X-ray machines, heart monitors and computerised drips is quite another.
A Different Approach
Faced with these challenges, healthcare providers need to find ways to improve the security around data, systems and devices. One way is to use recognised regulatory frameworks as a guide for what security measures should be implemented. The National eHealth Security and Access Framework is a blueprint based on international standards and has been tailored for Australian healthcare organisations. There are also guidelines relating to the Federal Government’s My Health Record initiative that can improve the security of stored patient data.
When it comes to the technical aspects of IT and data security, the same practices that work in other sectors will also work for healthcare providers. It’s simply a matter of keeping the sector’s specific challenges in mind when selecting security tools, services and strategies.
Care should be taken that networks are segmented to reduce the chance of unauthorised access. Older medical devices must also be protected from improper access or infection. There is also a need to have in place tools that allow patch management without disruption to device functioning. Where possible, these tasks should be automated to ensure the latest patches are deployed as quickly as possible.
Information security is only going to become more important for healthcare providers, but by following recognised frameworks and putting in place necessary tools and processes they can be confident that critical data remains accessible while its integrity and confidentiality is retained at all times.
There’s a global trend to enact laws compelling organisations to own up when data they possess is compromised by a cyberattack.
Breaches scheme, which came into effect in February 2018, applicable healthcare providers must notify the public and the Office of the Australian Information Commissioner if they experience a data breach that is likely to result in serious harm to any individuals whose personal information is involved in the breach.
Similarly, from 25 May 2018, healthcare organisations will need to comply with the General Data Protection Regulation, or GDPR, if they have an establishment in the European Union, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
Healthcare is one of the most vulnerable industries when it comes to cybersecurity. Patients’ health and even their lives can depend on the security and accessibility of their health records.
The growing global rise in email attacks, coupled with the introduction of mandatory breach notification schemes, add up to a situation in which healthcare organisations can’t ignore cyber – and email – security.
All organisations now need a strategy of cyber resilience for email. This includes taking stock of where patient information is held and breaking down the silos in respective departments that hold client data.
Cyber resilience also means conducting threat dress rehearsals in which all the teams, including IT, security, clinical, marketing and administration, come together to practice what would happen in the event of a data breach.
Staff also need to be trained and constantly reminded about good cyber-hygiene. Topics such as identifying malicious emails and not sharing personal data via email all need to be emphasised.
A strong email management policy also needs to pre-emptively examine, vet and quarantine emails with malicious content, links or attachments. By doing this, healthcare organisations can take the risk out of email and ensure that it remains the tool they need to conduct business with patients, agencies and other healthcare providers.
The introduction of data breach laws means that securing email is something that every healthcare organisation needs to make a centrepiece of their cybersecurity strategies. By doing so, they will protect their clients, patients and themselves against compromise and avoid suffering a data breach and its costly consequences in both financial terms and to their reputation.