« Stadium Technology: Lets Fans 'Be More' Than Just Fans | Main | Why These Times Are Calling For 'Coopetition' »

May 11, 2017

Protecting Patient Health Information - A Hard Look

Posted by Sanjay Dalwani (View Profile | View All Posts) at 4:05 AM

Protecting Patient Health Information with the 'Zero Trust Model'

In the recent past, information systems in healthcare organizations have become vulnerable to hacking. This in turn is making patient data susceptible to misuse. A study in 2016, pegged the cost of data breaches in the healthcare industry at $6.2Bn . While some of these were small, the major ones affected millions of people. As in the case of Banner Health, one of the largest nonprofit health systems in the US, which suffered a data breach in 2016 that compromised the details of 3.7 million patients. Hackers gained access to the organization's data through the point of sale (PoS) system.

A reason why healthcare organizations have become soft targets for hackers is because they store a large amount of sensitive customer data. Usually this data is stored in a single database. So when hackers gain access, they access the entire cache. This personally identifiable and health-related information is also valuable to organizations in a number of other industries. In this blog post, I highlight areas that make healthcare organizations vulnerable to hackers and discuss possible ways to address the problem.

Locating vulnerabilities that lead to security breaches

Just as in other industries, data and technology are coming together as key drivers of the healthcare industry. Organizations are still firming up on strategies to collect, store and analyze their data. They are also trying to formulate AI-driven solutions that they can leverage to personalize patient engagement. The lowering of security to facilitate integration with apps and software is also contributing to vulnerabilities in the healthcare ecosystem.

  • Connected devices and open networks: Healthcare organizations, with their complex network of connected devices such as medical devices, HVAC systems, patient portal, wearables, and even Point of Sale (PoS) terminals, provide a potential entry for hackers. Add to this, open Wi-Fi networks and an increasing number of third-party apps and you can guess why this connected existence becomes even more hack-prone.
  • Business landscape is complex and fluid - Healthcare organizations collect data on individual health, socioeconomic factors, genetic factors, as well as resource use, outcomes, financing, and expenditures. This data is accessed by multiple stakeholders among payers, providers and compliance authority . As patient requirements and organizational complexity expand, mapping the flow of sensitive data within the enterprise becomes difficult. Adding to this difficulty are the changes that this data undergoes as business and network configurations change. In case of an attack, it becomes almost impossible to secure this sensitive and highly dispersed data.
  • Limited budgets - Healthcare security budgets continue to lag behind those of other industries. According to Forrester, healthcare organizations spend 23 percent of their IT budget on security; other critical infrastructure industries such as utilities and telecom spend 35 percent.
  • Regulations alone don't suffice - Data is becoming a new currency. And while the Health Insurance Portability and Accountability (HIPAA) Act of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 set a minimum standard for data security, they alone are not adequate. Healthcare organization need to consider policies that allow for continuous monitoring of this data and put in place robust technology that facilitates encryption.

In my opinion, one way to limit the risk associated with a breach is to change the approach to security. Business leaders move away from network-driven to data-driven security and view security through a holistic lens including business risk.

Developing a security-first culture

For security systems and practices to keep hackers at bay, organizations need to adopt a 'security first' culture. Security needs to be reviewed not just from an application or a node perspective, but from a business perspective as well - that is, loss of brand equity, reduced customer trust, financial loss and regulatory penalties. Mobile devices have especially put healthcare organization at a security risk. IT infrastructure needs to be constantly checked to ensure it can withstand an attack. Additionally, other systems need to be put in place to quickly analyze business impacts so that remedial action can be taken. These systems need to deliver immediate visibility, analysis and facilitate a faster response to contain the intrusion.

It is important for healthcare organizations to identify behavioral indicators of an intrusion. This is difficult if done through monitoring tools alone. People are usually the weakest link in the security system. Healthcare players need to create, communicate and enforce security policies that continuously engage people, helping and enabling them to make security a priority.

Comments

It's an Gud action taken by Infosys, bcz health plays a major role than else. It should not be disturbed or truncated to negative

It was good to know about it

Its shocking to hear that hackers are targeting health care organisations.
As mentioned above they are targeting the weakest link in the security system.
Here security is the main priority. Thus the health care organisation must take nessasary steps to ensure more complex security measures in the database.

Cyber security, Data Security and network security are the three field in which we are not even aware fully and we like you companies (infosys) are developing software application products with out taking much care about these fields.
As a customer we should be first familiarize with Cyber Forensics and rules under these violation. As such country like India is running world of piracy and data copies from research paper , books and software application as independent open source.
Enjoy as free as possible.

Regards

Mukesh Chauhan


It was good to knw about it.. very good action taken by infosys.. πŸ‘

In times when vast amount of sensitive data is generated everyday, data and network security must be of utmost importance for any organization, with consistent innovation in these domains.

It is a good thing to know about Infosys

Proud to be wth infosys πŸ˜ŠπŸ‘πŸ‘πŸ‘

Good to know about Infosys

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Search InfyTalk

+1 and Like InfyTalk

Subscribe to InfyTalk feed

InfyTalk VBlogs: Watch Now

Infosys on Twitter