Key Aspects to Consider when Creating Secure Data Platform

Cybercriminals consider healthcare a lucrative industry. The stolen PHI records are highly in demand in the black market and may cost hundreds or even thousands of dollars per record according to the 2020 Trustwave Global Security Report. As a rule, it takes experts a good while until the theft is detected, meaning cybercriminals are free to use the compromised data to the fullest for quite a long time.

Table of contents

The COVID-19 pandemic has triggered a growth of telemedicine, which requires using external equipment and integrations with numerous third-party and fourth-party services. This in turn has resulted in exponential data growth, the growing need for a global single source of truth (SSOT) and improvements in the legal and regulatory framework for electronic health records in Europe, in the US and all over the globe.

Along with that, there are a few major security risks that must be addressed:

  1. human error and unintentional internal threats
  2. a low level of data awareness among doctors and patients
  3. cyber-attacks
  4. intentional internal threats
  5. ransomware campaigns
  6. lack of executive managers
  7. poor security of interconnected devices 

The COVID-19 pandemic calls for minimizing risks and ensuring simple information exchange between service providers themselves, as well as between service providers and third or fourth parties. In other words, all healthcare-related companies need a well-thought-out data governance strategy. All of the above factors have led to the temporary revision of HIPAA, GDPR, and other regulatory acts.

Examples of HIPAA and GDPR interpretations during Covid-19 

COVID-19 has forced countries to reconsider some aspects of their healthcare systems to improve pandemic-tackling efforts.

For example,  the U.S. HHS Office for Civil Rights added temporary changes to Health Insurance Portability and Accountability Act. These HIPAA updates significantly affected the flexibility of exchanging protected health information. 

One such exception relates to 1135 Waiver that provides for waiving notifications of privacy, security, and breach of HIPAA. This allowed using tools such as FaceTime, Skype, and Zoom. Although these communication means do not comply with all HIPAA requirements, the apps are now considered “non-public facing” remote communication products. 

When it comes to EU nations, the changes affected GDPR. The updated version says that companies must accept and process the COVID-related requests from clients and employees. For example,  a passenger has the right to ask airline reps about whether there are COVID-infected people on board. The airline reps, in turn, must provide the requested data, while not breaching the GDPR requirements for anonymity and permission to use personal data.

Nevertheless, the temporary relaxation of data processing rules does not exclude the necessity to overcome security risks. IT companies must take into account all possible challenges while developing or upgrading software solutions. 

What is the best way to design a data security and compliance platform? 

Data security refers to the process of protecting data from unauthorized access and data corruption throughout its entire life cycle. It includes the stages auditing, classification, risk assessment, policies management and implementation. Let’s take a closer look at each of these stages.

1. Data Security Auditing

An audit is a comprehensive overview and analysis of the platform’s data infrastructure. It defines the list and description of objects that are included in the system, identifies threats and vulnerabilities, identifies weaknesses and high-risk methods.

For example, a violation or non-compliance with the GDPR and HIPAA rules can have an enormous impact on the company’s business, which leads to the use of data. Data security auditing helps minimize the likelihood of a breach and shows that your organization has taken the necessary steps to protect customer, company, and partner data.

2. Data Security Classification

A security classification of data is a classification of data based on its level of confidentiality and the impact on business if that data is opened, altered or destroyed without permission.

The classification of data in companies usually includes four levels: restricted, confidential, internal, and public. Their names correspond to how they should be handled. Data security policies are created based on this classification.

3. Data Security Risk assessment

Risk assessment is used to identify, assess, and prioritize risks for operations within the platform and when interacting with other systems. Based on the classification of data, threats and vulnerabilities – risks are identified that can lead to large monetary or reputational losses for the company. It then identifies the most likely scenarios that can occur and data infrastructure improvements that can help mitigate these risks. 

4. Data security Policies management

Often, the design of data security policies for a platform derives from the organization’s general security policies and data security classification. They are defined for each level of data classification separately. A data security policy should include two broad categories of elements: policies applicable to people and policies applicable to technology. Also mandatory for every data security policy, are compliance sections such as HIPAA, GDPR, CCPA and others.

Read also: AWS IAM: Permission Management. Concepts and Policies

5. Data security policies implementation

This may sound obvious, but many CIOs and CISOs begin implementing a platform security plan at this stage. But defined data security policies on the previous step are an input to the technical design that will be implemented. The implementation stage consists of the following components:

  • Design for data encryption
  • Design for data retention
  • Plan for data archiving strategy
  • Design data masking
  • Plan for secure endpoints

Sequential or parallel execution of each of these components allows you to create and maintain a system that meets all safety requirements.

Security is not a state. This is a cyclical process. Regardless of where the company is now, this plan is always relevant. The set of these steps is constant: starting with the introduction of a new feature, continuing with the product and ending with the companies in general. It is crucial data engineering  follows every step of this process.

Data security needs to meet explosive industry needs  

The number of integrations with third-party and fourth-party systems is growing exponentially.  In view of this, security requirements become more complex. Therefore, all stakeholders should have a transparent data management strategy. 

Efficient systems need to collect data, which current systems can’t access. Hence, new systems must be integrated into the overall healthcare ecosystem. In order to create or optimize such a system, profound domain expertise is required. 

The good news is, that regardless if you are just at the beginning of the journey and just developing a product idea or you already have a huge functioning platform, you can come to a successful data security infrastructure. Step by step, starting with auditing and continuing to build strong data governance, you are able to transform the platform to meet modern technical and business requirements.

Learn more about our healthcare data expertise.

References:

Telehealth.HHS.gov, Policy changes during the COVID-19 Public Health Emergency

Foley & Lardner LLP, COVID-19: Privacy and Cybersecurity Regulatory and Enforcement Guidance

Feldesman Tucker Leifer Fidell LLP, CLIENT ALERT: Compliance with Federal Patient Confidentiality Laws and Regulations During and After COVID-19

Databricks Inc., What is a Lakehouse?

OWASP Foundation, Inc., OWASP Application Security Verification Standard

SecurityMetrics Inc., How to Manage a Healthcare Data Breach

Healthcare Information and Management Systems Society, Inc., Healthcare Cybersecurity During COVID-19 and How to Pivot

Trustwave Holdings, Inc., 2020 Trustwave Global Security Report

GreenM

GreenM helps healthcare tech companies to scale and accelerate the time to market by taming the data deluge and building secure, cost-effective, and easy-to-use Analytics platforms.

Share with friends

Our Blog

Copyright © 2021 GreenM, Inc. All rights reserved.

Learn about data with our newsletter!

We’ll send only useful articles and case studies to your inbox!

    Sign up for emails on new data & analytics articles

    Don't miss the insights. We'll send only useful articles and case studies to your inbox.