April 1, 2019 By Mark Stone 4 min read

The healthcare industry is moving toward the universal use of electronic health records (EHRs), digital documentation that represents a secure record of our complete health history. With EHRs, your healthcare provider gets real-time access to your relevant medical data, enabling them to make faster and more accurate treatment decisions.

But all this data has to be stored somewhere. It’s no secret that the healthcare industry is hit hardest when it comes to data breaches, and healthcare security is going to play a huge role if the utopian vision of a purely digital ecosystem is to be realized.

In some countries, however, the medical system is already well on its way to becoming fully digital. In Sweden, for example, 41 percent (about 4.1 million) of the population had already created their own account to use personal e-services on the country’s online portal by June 2017, according to Philips. And in Canada, there are private initiatives to facilitate the EHR process by providing Canadians secure access to their health records.

So why is the U.S. not moving as quickly to adopt a digital system? There are many reasons for this reluctance — some political, some ethical and some based on the sheer number of healthcare providers and the population.

Still, cybersecurity may be the most critical factor. Perhaps incidents such as the flaw that left 170,000 hours of 2.7 million medical calls exposed online for six years in Sweden are prompting us to take our time.

Two Nations, Two Disparate Health Ecosystems

To get an idea of where the U.S. may be headed, we can look to Canada, a country with an estimated population of around 37 million. There, the Toronto-based Dot Health already has relationships with 3,000 healthcare providers across the country and provides an app for Canadians to display their health information in one place. The app updates data whenever it changes and the company goes over and above to secure it. How it protects the data is paramount, but we’ll address this later on.

In Canada, each province and territory is responsible for organizing and delivering health services and supervising providers. This territorial split represents the largest stumbling block for companies like Dot Health that want to be a catalyst for a fully digital system.

“If [healthcare] was federally done, it would be very different,” said Huda Idrees, founder and CEO of Dot Health. “It makes it really difficult when it seems each of the provinces is trying to compete with each other.”

Idrees explained that while a fully digital healthcare system in Canada may have its own set of challenges, the U.S. faces a particularly bumpy road ahead.

“Going digital [in the U.S.] is especially difficult in healthcare, where it’s completely out-of-pocket,” Idrees said. “There are very difficult innovations around EHR, and providers may not want to talk to each other because they have business interests that are in conflict.”

Surpassing Healthcare Security Standards

When it comes to data, the most coveted for threat actors is probably that which comes from the healthcare industry. Understandably, Idrees gets a lot of questions about security, privacy and information protection — a core focus for her company from the very beginning. For Dot Health, security must not only be much better than the healthcare providers, but strive for excellence in data protection to exceed standards in any industry, let alone healthcare.

To achieve this on a technical level, one example Idrees provided is in how they store health records. Instead of monolithic databases, the company spreads data over several databases that contain bits and pieces of what makes up a whole electronic health record.

“You would need to breach 12 different databases and also have the patient’s own login key in order to decipher one complete health record,” Idrees said.

Before going live, Dot Health spent eight months with third-party security specialists to help ensure compliance with all related legislation. On top of that, the company undergoes penetration testing from a third-party vendor three times a year.

In writing about healthcare security, I’ve learned that, unfortunately, pen testing rarely occurs that frequently for healthcare companies. But shouldn’t it, especially when providers are protecting our most sensitive health data?

Not So Fast, We Still Have Work to Do

Perhaps we’re getting ahead of ourselves. Before healthcare data becomes completely digital — or even partially digital — the industry has to be prepared for change. Independent security researcher Rod Soto said that healthcare in the U.S. has a long way to go before going all-in on EHRs.

“Although government regulation has helped to move [the industry] in the digital direction, the evolution of technology and standards sometimes goes faster than the speed of the industry’s willingness to keep up,” Soto said. “This situation where many of the acquired technologies quickly become outdated or obsolete does not match the conservative mindset of the healthcare industry, [and] pushes many organizations to just wait or simply not embrace digital transformation.”

The seemingly endless news about successful breaches and destructive attacks against healthcare institutions doesn’t help, either. So is there any sort of shift that needs to happen to turn the tide?

According to Soto, while a shift may occur, it won’t be anytime soon. “The healthcare industry is known for dealing with significant amounts of legacy, outdated, unmanaged and unpatched systems,” he said. “Malicious actors know this and actively target healthcare organizations.”

Threat actors know the value of the information those systems hold. Because they’ve had success with past breaches, they understand these institutions will pay a ransom if pressed and, if not, they can easily sell the information on the dark web.

Why We Should Wait to Go All-In on EHRs

This may be belaboring the obvious, but we need to be more proactive in keeping systems up to date and patching them to reduce the attack surface.

“That includes more manpower and stricter security controls,” Soto said. “I notice that a lot of the attacks on those organizations usually come from outdated, unmanaged systems.”

Soto does not recommend going fully digital without having a hard copy of records or an off-site backup.

“As antiquated as it may sound, in many instances, where either outages, destructive crimeware or ransomware campaigns have been successful, the hard copy and off-site backups have helped the affected organizations,” he added.

It sure seems like we need to take our time before transitioning to electronic health records. Given the current healthcare breach statistics — more than 2 million healthcare records were compromised in February 2019 alone, a 330 percent increase from January, according to HIPAA Journal — sitting back and watching how the transformation plays out in other countries may be the most prudent strategy.

In the meantime, those in the health industry should follow the Department of Health and Human Services’ cybersecurity guidelines for the healthcare sector, where professionals can share healthcare security best practices to mitigate risk and boost cybersecurity programs across the industry.

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today