The world is currently at a critical juncture where the digital revolution intersects with the fundamental right to privacy. Technology has become pervasive in offices, marketplaces, and homes. Desktops, laptops, smartphones, tablets, and other devices play a vital role in the operations of businesses like Airlines, Healthcare, Transportation, and governments. The explosive growth of e-commerce has transformed how organizations offer goods and services.
Also, post-pandemic, individuals have become more accustomed to various online transactions from goods providers, medical agencies, utilities, governmental offices, and financial institutions. Consequently, a massive amount of data is being generated, which shapes markets, supports informed decision-making, controls costs, and drives revenue. However, to fully reap these benefits, proper management, governance, and security of data are essential parts of the process.
The owner of data might be concerned about the potential exposure of sensitive information to individuals or applications without authorization. Leadership might be wary of security breaches or even of misuse of technology infrastructure. A major concern also lies in how authentic the data is and its processes. Thus, one of the key benefits of Data Governance is that of safeguarding Data and the processes linked with it.
Today Data Protection is a common jargon in all industries but effective implementation of users’ data in sectors like healthcare, government, and financial services where they routinely deal in sensitive data, it’s a must-have. The healthcare industry has been dealing with medical records for decades and it’s unarguably the most sensitive information. As healthcare providers have increasingly embraced digital tools for record-keeping, the industry has experienced globally known incidents of phishing and data misuse. Lately, Data Breaches incidents have too common and Data Protection in the Healthcare industry is now being taken seriously.
A recent study conducted by Emsisoft focuses on the repercussions of security breaches in the healthcare sector, where hackers demanded large ransoms from healthcare businesses. In 2019, it reached record levels, costing the healthcare industry over $7.5 billion just in the US, where over 100 government agencies, over 750 providers, nearly 90 universities, and more than 1,200 schools have been affected.
The results were not just an inconvenience of expense but a massive disruption to healthcare delivery: surgeries were postponed, and in some cases, patients had to be transferred to other hospitals to receive the urgent care they needed. In the United Kingdom, the ransomware cyberattack that affected more than 60 trusts within the United Kingdom’s National Health Service (NHS) spread to more than 2,00,000 computer systems in 150 countries, and the list continues to grow. Related to this is Cyber insurance and you must know about it.
A data breach in healthcare can occur in several forms. It could be a criminal cyberattack to access protected health data for the purpose of committing medical identity theft, or an internal healthcare employee viewing patient records without authorization. Organizations in the healthcare industry need to be very diligent in protecting sensitive information on patients’ medical, financial, and other types of datasets. They must stay on top of this 24/7, throughout the entire operations by educating employees and by utilizing best–in–class security tools and best practices for the industry.
Data protection cannot be rigid and unchanging. Instead, it has to be agile to take account of changes in business processes and respond to observed new threats. Data protection must be carried out at multiple levels to provide defense in depth. Here are some of the recommended best practices for the healthcare industry.
Planning Data Protection in Healthcare
Lineage and Quality: Healthcare institutions should track the lineage and quality of patient data to ensure data integrity and maintain trustworthiness. This involves monitoring data sources, data transformations, and any changes made to the data throughout its lifecycle.
Level of Protection: Determine the appropriate levels of protection for different types of healthcare data, such as personal health information (PHI) and electronic health records (EHRs). Specify the type of protection, such as encryption or access controls, to be implemented at each level.
Classification: Categorize healthcare data assets based on their sensitivity and importance. This could include classifying data into different levels based on Health Insurance Portability and Accountability Act (HIPAA) regulations, such as protected health information (PHI) and non-public health information (non-PHI). Implement appropriate security measures based on the classification level.
Healthcare Data Protection in the Cloud
Multi-Tenancy: When storing healthcare data in the cloud, ensure that proper isolation measures are in place to separate data from other tenants. Consider using dedicated instances or private cloud environments to minimize the risk of unauthorized access or Data breaches.
Virtual Machine Security: Implement robust security measures for virtual machines (VMs) to protect healthcare data from unauthorized access. This includes regular security patching, strong access controls, and intrusion detection systems.
Physical Security of data
Physical Security: While cloud providers handle the physical security of their infrastructure, healthcare institutions should verify the provider’s security measures, such as access controls, surveillance, and disaster recovery plans to prevent data breaches. Additionally, consider the physical security of on-premises infrastructure where applicable.
Security in Transit: Establish secure network connections when transmitting healthcare data to and from the cloud. This involves using encryption protocols (e.g., SSL/TLS) and virtual private networks (VPNs) to protect data in transit.
Virtual Private Cloud Security Controls (VPC-SC): Configure appropriate security controls, such as Virtual Private Cloud Security Controls VPC-SC, to prevent data exfiltration. Use network segmentation, firewall rules, and intrusion detection systems to monitor and control data flows within the cloud environment to stop or prevent any possibility of Data Breaches.
Cloud IAM: Implement strong identity and access management (IAM) practices in the cloud environment. Use role-based access controls (RBAC), two-factor authentication (2FA), and regular access reviews to ensure that only authorized individuals or systems can access healthcare data and resources.
Identity and Access Management
Authentication and Authorization: In addition to Cloud IAM and row-based security, healthcare institutions should implement strong authentication mechanisms specific to the industry. This may include multi-factor authentication (MFA) for accessing sensitive healthcare data and systems.
Role-Based Access Control: Establish granular access control policies based on roles and responsibilities within the healthcare institution. Ensure that data science users are assigned appropriate access levels and permissions based on their specific needs.
Encryption of Healthcare Data: Assess the need for encryption for different types of healthcare data, especially when it is stored, transmitted, or processed outside of controlled environments. Utilize strong encryption algorithms to protect data at rest and in transit.
Differential Privacy for Data Sharing: Explore the application of differential privacy techniques in sharing healthcare data for research purposes. Differential privacy adds noise to the data, preserving individual privacy while still enabling useful insights to be derived from the aggregated data.
Audit Logs and Monitoring: Implement robust logging and monitoring mechanisms to track data access and usage by data science users. Regularly review access logs and audit trails to identify any unauthorized access attempts or suspicious activities.
Data Loss Prevention: Identify sensitive healthcare information, such as protected health information (PHI), and apply appropriate data protection measures. Consider techniques like data masking, tokenization, or anonymization to protect sensitive data during machine learning processes while maintaining its utility for analysis. This helps in preventing the possibility of Data Breaches.
Access Transparency: Continuously collect and analyze tracked access events through an automated security information and event management (SIEM) tool. Stay updated with evolving threats, vulnerabilities, and industry-specific regulations to adopt security measures and protocols accordingly.
All the industries are not much different than the healthcare industry with respect to data privacy and hence this is applicable to all. It is important for institutions in general to adopt systems and processes that minimize impulsive decision-making when addressing data breaches. Automation and well-planned and commented responses are key in dealing with a potential data breach. The ScikIQ data platform is specifically designed to improve data governance and management by providing actionable insights. By incorporating ScikIQ into their operations, institutions can establish internal data security controls, thereby reducing the likelihood of data breaches and enhancing regulatory compliance.
Evren Eryurek, Uri Gilad, Valliappa Lakshmanan, Anita Kibunguchy, Jessi AshdownData Governance: The Definitive Guide. People, Process and Tools to Operationalize Data Trustworthiness. March 2021.
Emsisoft Malware lab, “The State of Ransomware in the US: Report and Statistics 2019”, December 12, 2019.
Roger Collier, “NHS Ransomware Attack Spreads Worldwide”, Canadian Medical Association Journal 189, no.22 (June2017): E786-E787.
Andress, Jason. The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice.Syngress, 2011.