The healthcare industry is moving toward the universal use of electronic health records (EHRs), digital documentation that represents a secure record of our complete health history. With EHRs, your healthcare provider gets real-time access to your relevant medical data, enabling them to make faster and more accurate treatment decisions.
But all this data has to be stored somewhere. It’s no secret that the healthcare industry is hit hardest when it comes to data breaches, and healthcare security is going to play a huge role if the utopian vision of a purely digital ecosystem is to be realized.
In some countries, however, the medical system is already well on its way to becoming fully digital. In Sweden, for example, 41 percent (about 4.1 million) of the population had already created their own account to use personal e-services on the country’s online portal by June 2017, according to Philips. And in Canada, there are private initiatives to facilitate the EHR process by providing Canadians secure access to their health records.
So why is the U.S. not moving as quickly to adopt a digital system? There are many reasons for this reluctance — some political, some ethical and some based on the sheer number of healthcare providers and the population.
Still, cybersecurity may be the most critical factor. Perhaps incidents such as the flaw that left 170,000 hours of 2.7 million medical calls exposed online for six years in Sweden are prompting us to take our time.
Two Nations, Two Disparate Health Ecosystems
To get an idea of where the U.S. may be headed, we can look to Canada, a country with an estimated population of around 37 million. There, the Toronto-based Dot Health already has relationships with 3,000 healthcare providers across the country and provides an app for Canadians to display their health information in one place. The app updates data whenever it changes and the company goes over and above to secure it. How it protects the data is paramount, but we’ll address this later on.
In Canada, each province and territory is responsible for organizing and delivering health services and supervising providers. This territorial split represents the largest stumbling block for companies like Dot Health that want to be a catalyst for a fully digital system.
“If [healthcare] was federally done, it would be very different,” said Huda Idrees, founder and CEO of Dot Health. “It makes it really difficult when it seems each of the provinces is trying to compete with each other.”
Idrees explained that while a fully digital healthcare system in Canada may have its own set of challenges, the U.S. faces a particularly bumpy road ahead.
“Going digital [in the U.S.] is especially difficult in healthcare, where it’s completely out-of-pocket,” Idrees said. “There are very difficult innovations around EHR, and providers may not want to talk to each other because they have business interests that are in conflict.”
Surpassing Healthcare Security Standards
When it comes to data, the most coveted for threat actors is probably that which comes from the healthcare industry. Understandably, Idrees gets a lot of questions about security, privacy and information protection — a core focus for her company from the very beginning. For Dot Health, security must not only be much better than the healthcare providers, but strive for excellence in data protection to exceed standards in any industry, let alone healthcare.
To achieve this on a technical level, one example Idrees provided is in how they store health records. Instead of monolithic databases, the company spreads data over several databases that contain bits and pieces of what makes up a whole electronic health record.
“You would need to breach 12 different databases and also have the patient’s own login key in order to decipher one complete health record,” Idrees said.
Before going live, Dot Health spent eight months with third-party security specialists to help ensure compliance with all related legislation. On top of that, the company undergoes penetration testing from a third-party vendor three times a year.
In writing about healthcare security, I’ve learned that, unfortunately, pen testing rarely occurs that frequently for healthcare companies. But shouldn’t it, especially when providers are protecting our most sensitive health data?
Not So Fast, We Still Have Work to Do
Perhaps we’re getting ahead of ourselves. Before healthcare data becomes completely digital — or even partially digital — the industry has to be prepared for change. Independent security researcher Rod Soto said that healthcare in the U.S. has a long way to go before going all-in on EHRs.
“Although government regulation has helped to move [the industry] in the digital direction, the evolution of technology and standards sometimes goes faster than the speed of the industry’s willingness to keep up,” Soto said. “This situation where many of the acquired technologies quickly become outdated or obsolete does not match the conservative mindset of the healthcare industry, [and] pushes many organizations to just wait or simply not embrace digital transformation.”
The seemingly endless news about successful breaches and destructive attacks against healthcare institutions doesn’t help, either. So is there any sort of shift that needs to happen to turn the tide?
According to Soto, while a shift may occur, it won’t be anytime soon. “The healthcare industry is known for dealing with significant amounts of legacy, outdated, unmanaged and unpatched systems,” he said. “Malicious actors know this and actively target healthcare organizations.”
Threat actors know the value of the information those systems hold. Because they’ve had success with past breaches, they understand these institutions will pay a ransom if pressed and, if not, they can easily sell the information on the dark web.
Why We Should Wait to Go All-In on EHRs
This may be belaboring the obvious, but we need to be more proactive in keeping systems up to date and patching them to reduce the attack surface.
“That includes more manpower and stricter security controls,” Soto said. “I notice that a lot of the attacks on those organizations usually come from outdated, unmanaged systems.”
Soto does not recommend going fully digital without having a hard copy of records or an off-site backup.
“As antiquated as it may sound, in many instances, where either outages, destructive crimeware or ransomware campaigns have been successful, the hard copy and off-site backups have helped the affected organizations,” he added.
It sure seems like we need to take our time before transitioning to electronic health records. Given the current healthcare breach statistics — more than 2 million healthcare records were compromised in February 2019 alone, a 330 percent increase from January, according to HIPAA Journal — sitting back and watching how the transformation plays out in other countries may be the most prudent strategy.
In the meantime, those in the health industry should follow the Department of Health and Human Services’ cybersecurity guidelines for the healthcare sector, where professionals can share healthcare security best practices to mitigate risk and boost cybersecurity programs across the industry.