Cybercriminals consider healthcare a lucrative industry. The stolen PHI records are highly in demand in the black market and may cost hundreds or even thousands of dollars per record according to the 2020 Trustwave Global Security Report. As a rule, it takes experts a good while until the theft is detected, meaning cybercriminals are free to use the compromised data to the fullest for quite a long time.
Table of contents
The COVID-19 pandemic has triggered a growth of telemedicine, which requires using external equipment and integrations with numerous third-party and fourth-party services. This in turn has resulted in exponential data growth, the growing need for a global single source of truth (SSOT) and improvements in the legal and regulatory framework for electronic health records in Europe, in the US and all over the globe.
Along with that, there are a few major security risks that must be addressed:
The COVID-19 pandemic calls for minimizing risks and ensuring simple information exchange between service providers themselves, as well as between service providers and third or fourth parties. In other words, all healthcare-related companies need a well-thought-out data governance strategy. All of the above factors have led to the temporary revision of HIPAA, GDPR, and other regulatory acts.
COVID-19 has forced countries to reconsider some aspects of their healthcare systems to improve pandemic-tackling efforts.
For example, the U.S. HHS Office for Civil Rights added temporary changes to Health Insurance Portability and Accountability Act. These HIPAA updates significantly affected the flexibility of exchanging protected health information.
One such exception relates to 1135 Waiver that provides for waiving notifications of privacy, security, and breach of HIPAA. This allowed using tools such as FaceTime, Skype, and Zoom. Although these communication means do not comply with all HIPAA requirements, the apps are now considered “non-public facing” remote communication products.
When it comes to EU nations, the changes affected GDPR. The updated version says that companies must accept and process the COVID-related requests from clients and employees. For example, a passenger has the right to ask airline reps about whether there are COVID-infected people on board. The airline reps, in turn, must provide the requested data, while not breaching the GDPR requirements for anonymity and permission to use personal data.
Nevertheless, the temporary relaxation of data processing rules does not exclude the necessity to overcome security risks. IT companies must take into account all possible challenges while developing or upgrading software solutions.
Data security refers to the process of protecting data from unauthorized access and data corruption throughout its entire life cycle. It includes the stages auditing, classification, risk assessment, policies management and implementation. Let’s take a closer look at each of these stages.
An audit is a comprehensive overview and analysis of the platform’s data infrastructure. It defines the list and description of objects that are included in the system, identifies threats and vulnerabilities, identifies weaknesses and high-risk methods.
For example, a violation or non-compliance with the GDPR and HIPAA rules can have an enormous impact on the company’s business, which leads to the use of data. Data security auditing helps minimize the likelihood of a breach and shows that your organization has taken the necessary steps to protect customer, company, and partner data.
A security classification of data is a classification of data based on its level of confidentiality and the impact on business if that data is opened, altered or destroyed without permission.
The classification of data in companies usually includes four levels: restricted, confidential, internal, and public. Their names correspond to how they should be handled. Data security policies are created based on this classification.
Risk assessment is used to identify, assess, and prioritize risks for operations within the platform and when interacting with other systems. Based on the classification of data, threats and vulnerabilities – risks are identified that can lead to large monetary or reputational losses for the company. It then identifies the most likely scenarios that can occur and data infrastructure improvements that can help mitigate these risks.
Often, the design of data security policies for a platform derives from the organization’s general security policies and data security classification. They are defined for each level of data classification separately. A data security policy should include two broad categories of elements: policies applicable to people and policies applicable to technology. Also mandatory for every data security policy, are compliance sections such as HIPAA, GDPR, CCPA and others.
This may sound obvious, but many CIOs and CISOs begin implementing a platform security plan at this stage. But defined data security policies on the previous step are an input to the technical design that will be implemented. The implementation stage consists of the following components:
Sequential or parallel execution of each of these components allows you to create and maintain a system that meets all safety requirements.
Security is not a state. This is a cyclical process. Regardless of where the company is now, this plan is always relevant. The set of these steps is constant: starting with the introduction of a new feature, continuing with the product and ending with the companies in general. It is crucial data engineering follows every step of this process.
The number of integrations with third-party and fourth-party systems is growing exponentially. In view of this, security requirements become more complex. Therefore, all stakeholders should have a transparent data management strategy.
Efficient systems need to collect data, which current systems can’t access. Hence, new systems must be integrated into the overall healthcare ecosystem. In order to create or optimize such a system, profound domain expertise is required.
The good news is, that regardless if you are just at the beginning of the journey and just developing a product idea or you already have a huge functioning platform, you can come to a successful data security infrastructure. Step by step, starting with auditing and continuing to build strong data governance, you are able to transform the platform to meet modern technical and business requirements.
Learn more about our healthcare data expertise.
Telehealth.HHS.gov, Policy changes during the COVID-19 Public Health Emergency
Foley & Lardner LLP, COVID-19: Privacy and Cybersecurity Regulatory and Enforcement Guidance
Feldesman Tucker Leifer Fidell LLP, CLIENT ALERT: Compliance with Federal Patient Confidentiality Laws and Regulations During and After COVID-19
Databricks Inc., What is a Lakehouse?
OWASP Foundation, Inc., OWASP Application Security Verification Standard
SecurityMetrics Inc., How to Manage a Healthcare Data Breach
Healthcare Information and Management Systems Society, Inc., Healthcare Cybersecurity During COVID-19 and How to Pivot
Trustwave Holdings, Inc., 2020 Trustwave Global Security Report
Copyright © 2021 GreenM, Inc. All rights reserved.
We’ll send only useful articles and case studies to your inbox!
Sign up for emails on new data & analytics articles
Don't miss the insights. We'll send only useful articles and case studies to your inbox.