The years 2020 and 2021 will be bookmarked as the years when healthcare became a central theme of concern for the entire planet. But, as one looks one layer into this ecosystem, one sees the vast, convoluted, often redundant, and inefficient network of healthcare data security practices.
Each incumbent in the healthcare ecosystem – the insurance companies, data providers, hospitals, laboratories, pharmacies, MedTech companies, and even the patients, have different priorities. In the process of managing these priorities, healthcare data security often goes for a toss. And the world has been witnessing its repercussions for a while now.
It is high time we acknowledge and address the problems in data security with respect to healthcare.
The biggest challenges in healthcare data security
1. The security paradox of going digital
While going digital with electronic health records (EHRs) has been a convenient exercise for the medical ecosystem, it would be inaccurate to say it is 100 per cent secure, 100 per cent of the observable time. To an uninitiated eye, it might seem like stealing data from a physical file in an old hospital was easier than breaking into a database. But, the database operates at a much larger scale. When security is breached, the loss is more significant since there is more data at risk. This does not necessarily mean the digital transition has not unfolded the way it was supposed to. It just shows that as healthcare technology providers, consumers, and enablers, we have to focus on more robust healthcare data security protocols that are updated frequently.
2. User-enabled vulnerabilities
Building on the earlier point, most healthcare institutions understand the responsibility of having fortress-like security systems guarding the patient healthcare data. However, the patients are often provided access to their personal data. Now, who is supposed to ensure that they do not open the doors to vulnerable data sharing?
If one is mailing his personal healthcare data to a friend or putting it on the public cloud, who is to blame when such data is misused? Hence, while we design more secure healthcare data environments, we must also ensure that data mobility is either monitored or controlled. A possible solution can be to provide view-only access to personal healthcare data while staying compliant with the local laws and security norms.
3. Device-level security challenges
As we delve into the healthcare data spectrum, we have to zoom out and see what devices have access to editing, managing, or moving patient data. If one observes the trend, over 80 1 per cent of healthcare data is projected to pass through cloud channels. That provides convenience, and with data encryption, we should be able to solve the security challenges. However, the implicit insight here is that it is often challenging to encrypt the data used by a specific application at a specific time.
On top of this, some healthcare institutions, insurance intermediaries, and other incumbents of the healthcare ecosystem allow employees to use their personal devices at work. This is a pragmatic approach if you want to control your IT overheads. But, it throws the device-level security protocols out of the window. Without establishing a comprehensive application data-access program and cloud data encryption policy, no organisation, institution, or individual must access a patient’s electronic healthcare data.
4. Legacy technology
Most of us who have visited a government hospital or an old hospital in India would agree that the technology adoption rate is certainly not at par with the private healthcare counterparts. And, when you look at the budget allocations and approval hierarchy, it becomes apparent why software reaching its end of life and data infrastructure that does not match the industry security standards are is still being used across the ecosystem.
You can make any number of data protection, privacy, and accessibility laws. But, if the ground-up infrastructure does not align with such initiatives, that is all they will remain – initiatives. The targeted material impact will not be realised. It would be like saying that you have to safeguard some product and then wrapping it in brown paper instead of shock-absorbing layers.
5. The priority of compliance in spirit
This might seem like a lot to unpack, but governments and law enforcement systems across the globe have tried to capture the essence of data security in healthcare. It reflects in the number of laws by country, focusing on data privacy and security in the context of healthcare:
- EU and the General Data Protection Regulation
- Germany and the Patient Data Protection Act
- USA and the Healthcare Insurance Portability and Accountability Act
- Brazil and LGPD
- India and the Personal Data Protection Bill
- Thailand and the Personal Data Protection Act
And the list 2 goes on. The lawmakers have tried to envelop the problem with a solution they have access to – creating adoption frameworks, establishing legally binding policies, and then enforcing the laws. On paper, this should have mitigated the healthcare data security concerns across the globe. But, that would be like saying just because you have amended the accounting rules, you have mitigated accounting fraud.
The world does not operate this way. If it did, the USA – which has one of the largest networks of healthcare data privacy laws both in writing and in enforcement, wouldn't have witnessed consecutive data breaches where even the smallest incidents have impacted tens of thousands 3 of patients. And, to make it clearer, this is not a USA-specific problem. Every country focusing on prioritising the digitisation of its healthcare ecosystem will have to find a way of crossing this hurdle.
Several healthcare institutions, for- and non-profit interests, and intermediaries take the middle-ground–complying in spirit. As far as you are checking the boxes mandated by the law, you are compliant. This is done to control the compliance overheads. But, healthcare data security has to be a central function, not a subset of compliance. If it has to be clubbed, it should be clubbed with patient experience and not some back-office process analysed only when accounting for expense line items.
How can we solve the healthcare data security concerns effectively?
The first and probably the most important idea to be acknowledged is the idea of shared responsibility. Assuming that the hospitals are the ones managing the patient data and hence have to take the onus of responsibility for securing it in isolation is devoid of any material insight. If you have to visualise healthcare data security, you must imagine a network of touchpoints – patients, doctors, healthcare institutions, laboratories, healthcare IT platforms, intermediaries in the ecosystem, government bodies, and the employees at each of these organisations. Anyone who has virtual or physical access to such data in encrypted or unencrypted form is a part of the problem and hence has to be a part of the solution.
Now, to design a solution that has a high probability of effectively mitigating the healthcare data security risks, this framework should come in handy:
1. Create institutional accountability: dedicated cybersecurity centre
The major private healthcare institutions already have a dedicated IT team. But, even the smaller healthcare bodies need an agile team that can supervise the organisational scale of cybersecurity.
Such an arrangement would mean added responsibilities within the hierarchy. For instance, the hospital should have a tiered governance mechanism where data requests and movement alerts are escalated in near-real-time, providing someone with adequate authority & resources to quickly act. Just like hospitals have normalised an Ethics Committee, they should focus on a cross-functional Cybersecurity Committee.
The formalisation of this system would enable interfacing required to deploy several other solutions. For instance, the IT Team can better understand the requirements of doctors & physicians while the management team can easily access the IT Team’s requests for resource allocation.
2. Allocate adequate resources with margin of safety to the IT team
Following through to the earlier recommendation, the IT Team has to be empowered. The old school idea of looking at teams as profit or cost centres is broken. It does not allocate proportional resources to teams that are protecting the healthcare institution’s downsides.
Generally, IT Teams should be allowed deliberation on deploying a comprehensive healthcare management platform. Moreover, they should be equipped with tools that provide active visibility into data inventory, access statistics, workflow management, and governance tools.
In terms of execution, hospitals, laboratories, and other healthcare bodies can focus on working with technology providers who can provide ad hoc and out-of-box solutions. This would enable them to deploy standard solutions while inspecting their requirements and adapting features unique to their workflow.
3. Provide comprehensive training to each individual
No one can stress this enough – but training is critical at each level of data sharing. The training has to be two-level and divided into:
- Understanding the data sharing and security policies: The policies must be formulated top-down and must be bridged directly with the organisation's mission. This will create resonance among the employees once they understand the priority of healthcare data protection. Much like complying with the laws in spirit, the policies must show what each employee or data user is supposed to achieve. This way, even if they have to take immediate decisions that are out of the scope of the training, their perception will be guided to uphold healthcare data security concerns.
- Access to knowledge base for Standard operating procedures: Once the policies have been formulated, each data user should be mandated to undergo frequent and updated training for using the healthcare data. Such SOP-based training would ensure that there is consistent practice for accessing, managing, and mobilising data. If the organisation has also enacted the earlier recommendation of establishing an escalation matrix for data requests, filtering outlying data requests would become easier if everyone complies with the SOPs.
4. Simplifying the healthcare data value chain
This should have been the very first requirement, but professionals tend to underestimate the value of simplicity. Between data entry, database management, operational process tools, compliance & administration, and IT process management – a hospital might have a dozen tools across the healthcare data value chain. Even if one deploys every recommendation given here, it might be challenging to consistently monitor data security practices for each tool.
A simpler approach to healthcare IT management can open the doors to more secure healthcare data practices. At the core of the entire operation should be a singular platform that covers all the processes from the moment a patient enters the hospital to the point where she/he/they is/are discharged. This way, instead of managing tool after tool for each process, the IT Team can pay attention to ad hoc requirements that are extensions of this central platform.
It goes without saying that simplifying the healthcare IT process at hospitals with a federated platform can also provide room for deliberation across the spectrum. For instance, if the hospital’s internal IT platform and the patient-facing app have the same origins, it becomes easier for the IT Team to run stress tests, manage critical changes, and plan for upgrades.
No singular solution or framework can solve the pressing concerns in healthcare data security. However, parallel to the development in laws across the globe, if each incumbent in the healthcare ecosystem prioritises data security and uses the recommendations provided here, we will take a collective leap. To summarise, we have to focus on:
- Creating institutional accountability by establishing a data security escalation matrix and a crossfunctional supervisory body at each significant healthcare institution.
- Empowering the IT Teams with adequate resources.
- Providing comprehensive education to data users for data security policies and Standard Operating Procedures.
- Simplifying the healthcare data value chain by using federated platforms4 that provided integrated functionalities.