By Nandan Bhatkal, VP – Enterprise Solutions at Accops Systems Pvt. Ltd.
The Covid-19 pandemic has hit business environment very hard and organizations of all verticals are struggling to cope up with this harsh reality. While every industry is being faced with its own unique challenges, healthcare industry is one industry which is truly being tested like never before now, by the Covid-19 pandemic. Quick capacity expansion and optimized resource utilization are what healthcare providers are trying to achieve in order to serve more patients effectively and get through this pandemic. But in these trying times, it is important to not overlook cybersecurity, particularly with the recent sharp spike in cyberattacks all over the world.
The healthcare industry’s data management has seen dramatic shifts towards Electronic Health Record (EHR) and Electronic Medical Record (EMR) over the past couple of decades. The patients and the healthcare providers have tremendously benefited from this industry-wide technological transformation. However, with increased adoption of digital information exchange and IT solutions, the risks associated with data security also increases. Thousands of various users, doing multiple log-ins, from different devices, to access data from highly interconnected medical devices which rely on outdated systems, make cybersecurity management a tedious, complex process for healthcare providers.
Some reasons, why data security is critical for healthcare providers are:
1. Patient health records, has the potential to increase in value over time, and is more static and stable over long periods of time, compared to other sensitive data, say financial information like credit card, bank account details, which can be changed at will. This makes health and medical records a lucrative target for cyberattacks.
2. R&D and intellectual properties is one area where healthcare providers invest large sums of money, time and effort compared to other industries and is often an attractive target for cyberattacks
3. Unlike data involved in many other industries, there is a need for utmost sanctity and integrity of data used by healthcare providers, i.e. even the slightest of tampering to a data can impact the healthcare providers in several ways
4. Data theft involving a single health care provider not just affects the involved party, but has the potential to affect the entire industry, stake holders and the patient safety, through severe implications like stock manipulation, identity theft, supply chain disruption, sale of proprietary information.
Challenges in ensuring optimal data security
Although the above-mentioned reasons make cybersecurity a highly significant concern for healthcare providers, there are some challenges which make ensuring optimal security a tedious task, which are explained below
Difficulties in provisioning dedicated cybersecurity personnel:
A practical challenge in the face of several healthcare providers is the fact that it is not feasible for them to get an in-house information security personnel or a dedicated IT staff with cybersecurity as the core responsibility. So, the means of identifying and tracking threats and making use of threat data by creating actionable information, in a timely manner is something beyond the scope of several heath care providers. Moreover, with the exception of IT security personnel, other staff are not aware of their security vulnerabilities, or the magnitude of the problem posed by security issues. What magnifies this problem is the fact that healthcare industry is highly interconnected and for this reason, data from not just the large organizations but also from small and medium sized healthcare providers are also targeted by cyberattacks.
Higher dependencies on legacy systems:
Compared to other industries, health care providers tend be working more with legacy systems, most of which are unsupported. These systems were not built to tackle or resist the security threats of today and are highly vulnerable and prone to security issues. The application dependencies and device dependencies on these legacy systems mean that it is highly difficult to replace, update or upgrade these unsupported systems with modern, more secure systems. Overcoming the dependencies on legacy systems in a long-term process, and while in the middle of such a process, finding a way to ensure security can prove to be arduous.
Complex, heterogenous user environment:
The high mobility and complexity of the user groups can make ensuring security a taxing process for all healthcare providers. Healthcare providers see an unmatched diversity of the users – patients, nurses, doctors, finance and accounting users, vendors. All these users need on-demand access to sensitive information for smooth and productive functioning. Provisioning each user with anywhere, anytime access, opens doors for data leakage and unauthorized access.
How can healthcare providers ensure optimal data security?
Healthcare providers need to be proactive in their approach to data security rather than being reactive. Some steps that healthcare providers can take towards ensuring complete data security and preventing data leakages (intentional or unintentional) are,
End user computing virtualization: By virtualizing applications, higher degree of data security can be ensured. As business applications and data safely reside in virtual environment, no data ever enters user devices, mitigating all endpoint data leakage related issues. Virtualization makes user endpoint nothing but dumb terminals. Another advantage of virtualizing applications and desktops, is that data backup takes place automatically, saving costs and time.
Going beyond passwords for authentication: Passwords alone are not enough to provide strong authentication anymore. By only using a password for authentication, possibility of identity thefts is very high as anyone who can steal a password can have access to the entire network. Multi-factor authentication provides an added layer of security
Provision granular audit logs and reports: Identity and access management system must be capable of providing details on who accessed what, when and from where. Such granular logs, apart from ensuring data sanctity also helps in ensuring regulatory compliance
Granular access policies and contextual access: Healthcare providers must not just make use of the roles and user groups provided by the EHR vendors. By configuring access policies at a more granular level, context driven assessment of access request can be enabled. The access request has to be evaluated based on parameters like security posture, geolocation, time, device used, security post.
Most of security systems that are currently utilized by healthcare providers are not capable of tackling the modern-day, highly evolved cyber threats. It is high time that the healthcare providers adopt a modernized and more powerful approach to tack the security issues.
