Data Protection April 1, 2019
By Mark Stone 4 min read

The healthcare industry is moving toward the universal use of electronic health records (EHRs), digital documentation that represents a secure record of our complete health history. With EHRs, your healthcare provider gets real-time access to your relevant medical data, enabling them to make faster and more accurate treatment decisions.

But all this data has to be stored somewhere. It’s no secret that the healthcare industry is hit hardest when it comes to data breaches, and healthcare security is going to play a huge role if the utopian vision of a purely digital ecosystem is to be realized.

In some countries, however, the medical system is already well on its way to becoming fully digital. In Sweden, for example, 41 percent (about 4.1 million) of the population had already created their own account to use personal e-services on the country’s online portal by June 2017, according to Philips. And in Canada, there are private initiatives to facilitate the EHR process by providing Canadians secure access to their health records.

So why is the U.S. not moving as quickly to adopt a digital system? There are many reasons for this reluctance — some political, some ethical and some based on the sheer number of healthcare providers and the population.

Still, cybersecurity may be the most critical factor. Perhaps incidents such as the flaw that left 170,000 hours of 2.7 million medical calls exposed online for six years in Sweden are prompting us to take our time.

Two Nations, Two Disparate Health Ecosystems

To get an idea of where the U.S. may be headed, we can look to Canada, a country with an estimated population of around 37 million. There, the Toronto-based Dot Health already has relationships with 3,000 healthcare providers across the country and provides an app for Canadians to display their health information in one place. The app updates data whenever it changes and the company goes over and above to secure it. How it protects the data is paramount, but we’ll address this later on.

In Canada, each province and territory is responsible for organizing and delivering health services and supervising providers. This territorial split represents the largest stumbling block for companies like Dot Health that want to be a catalyst for a fully digital system.

“If [healthcare] was federally done, it would be very different,” said Huda Idrees, founder and CEO of Dot Health. “It makes it really difficult when it seems each of the provinces is trying to compete with each other.”

Idrees explained that while a fully digital healthcare system in Canada may have its own set of challenges, the U.S. faces a particularly bumpy road ahead.

“Going digital [in the U.S.] is especially difficult in healthcare, where it’s completely out-of-pocket,” Idrees said. “There are very difficult innovations around EHR, and providers may not want to talk to each other because they have business interests that are in conflict.”

Surpassing Healthcare Security Standards

When it comes to data, the most coveted for threat actors is probably that which comes from the healthcare industry. Understandably, Idrees gets a lot of questions about security, privacy and information protection — a core focus for her company from the very beginning. For Dot Health, security must not only be much better than the healthcare providers, but strive for excellence in data protection to exceed standards in any industry, let alone healthcare.

To achieve this on a technical level, one example Idrees provided is in how they store health records. Instead of monolithic databases, the company spreads data over several databases that contain bits and pieces of what makes up a whole electronic health record.

“You would need to breach 12 different databases and also have the patient’s own login key in order to decipher one complete health record,” Idrees said.

Before going live, Dot Health spent eight months with third-party security specialists to help ensure compliance with all related legislation. On top of that, the company undergoes penetration testing from a third-party vendor three times a year.

In writing about healthcare security, I’ve learned that, unfortunately, pen testing rarely occurs that frequently for healthcare companies. But shouldn’t it, especially when providers are protecting our most sensitive health data?

Not So Fast, We Still Have Work to Do

Perhaps we’re getting ahead of ourselves. Before healthcare data becomes completely digital — or even partially digital — the industry has to be prepared for change. Independent security researcher Rod Soto said that healthcare in the U.S. has a long way to go before going all-in on EHRs.

“Although government regulation has helped to move [the industry] in the digital direction, the evolution of technology and standards sometimes goes faster than the speed of the industry’s willingness to keep up,” Soto said. “This situation where many of the acquired technologies quickly become outdated or obsolete does not match the conservative mindset of the healthcare industry, [and] pushes many organizations to just wait or simply not embrace digital transformation.”

The seemingly endless news about successful breaches and destructive attacks against healthcare institutions doesn’t help, either. So is there any sort of shift that needs to happen to turn the tide?

According to Soto, while a shift may occur, it won’t be anytime soon. “The healthcare industry is known for dealing with significant amounts of legacy, outdated, unmanaged and unpatched systems,” he said. “Malicious actors know this and actively target healthcare organizations.”

Threat actors know the value of the information those systems hold. Because they’ve had success with past breaches, they understand these institutions will pay a ransom if pressed and, if not, they can easily sell the information on the dark web.

Why We Should Wait to Go All-In on EHRs

This may be belaboring the obvious, but we need to be more proactive in keeping systems up to date and patching them to reduce the attack surface.

“That includes more manpower and stricter security controls,” Soto said. “I notice that a lot of the attacks on those organizations usually come from outdated, unmanaged systems.”

Soto does not recommend going fully digital without having a hard copy of records or an off-site backup.

“As antiquated as it may sound, in many instances, where either outages, destructive crimeware or ransomware campaigns have been successful, the hard copy and off-site backups have helped the affected organizations,” he added.

It sure seems like we need to take our time before transitioning to electronic health records. Given the current healthcare breach statistics — more than 2 million healthcare records were compromised in February 2019 alone, a 330 percent increase from January, according to HIPAA Journal — sitting back and watching how the transformation plays out in other countries may be the most prudent strategy.

In the meantime, those in the health industry should follow the Department of Health and Human Services’ cybersecurity guidelines for the healthcare sector, where professionals can share healthcare security best practices to mitigate risk and boost cybersecurity programs across the industry.

 |  |  |  |  |  |  |  |  |  |  | 
Mark Stone

More from Data Protection
September 28, 2023

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution?Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task.In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each other. As…

September 27, 2023

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

September 13, 2023

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

August 30, 2023

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature