How to protect patient data that’s being shared widely
Healthcare is a prime target for data breaches, and providers and life science firms will likely face more security risks as they increasingly interact directly with each other in the healthcare ecosystem.
According to Accenture, a healthcare data breach has affected one in every four Americans, and threats don’t appear to be slowing down. Security firm Symantec warns of a new hacker ring targeting large healthcare organizations in the U.S and elsewhere.
Healthcare is a prime target for cyber thieves because records are highly valuable. The Poneman Institute states that a healthcare record—including name, birthdate and Social Security number—can net $50 on the black market vs. $3 for credit card information, because of the health record’s ability to be used for a longer time before detection.
Also, many healthcare enterprises are easier targets—they increase their vulnerability by rely on aging IT architecture, outdated software and ever-increasing endpoints and data sharing.
The data security threat will increase exponentially as the industry embraces the use of real-world evidence, which works by gathering data from new and disbursed sources and sharing that information throughout the healthcare ecosystem, including providers and payers. In the traditional clinical trial model, data is highly controlled and only shared among well-vetted traditional partners and the FDA.
A 2017 KPMG survey states that sharing data with third parties is one of the biggest vulnerabilities healthcare organizations face. As more data is shared between providers, payers and even consumers to gather key RWE, life sciences organizations will face new security challenges. Data sharing expands the attack surface for hackers—the traditional “network” becomes dispersed and often sits outside the organization’s four walls, rendering the “bigger wall” strategy for protecting information ineffective. Now, not only will employees be “phished,” but so will those workers from all the organizations that interact with healthcare organizations. This increases the chances for an inadvertent or even intentional insider breach. To combat that, the data needs to be secured in the database, not just at the network level.
Organizations throughout healthcare will be better protected if data security includes:
- Granular access controls: These enable enterprises to control who—scientists, doctors or payers—views what data, how long they can access that data, and what they can do with it. Controls and security policies need to be centrally enforced so different business units aren’t left to enforce them. Insurer Anthem has agreed to install strict access controls as part of its settlement stemming from a 2015 cyberattack that resulted in the unauthorized access of information from 79 million individuals.
- Redaction and anonymized data: These work together to enable sharing of the right data with the right people. Redaction and anonymized data are often required when providing data for analysis by data scientists. Or, drug researchers who may get data on one patient from three data sources don’t see the patient name but can still be confident the records are for the same person. Or, doctors may be able to see patient names but not Social Security numbers, depending on the particular use case.
- Element level security: Today, most organizations have document level security. Billing doesn’t see patient data regarding drug responsiveness; nurses don’t see billing data. Element level security provides finer grained security by enabling security administrators to apply additional controls to individual parts of a document, down to the lab value, for instance, or down to the word. This gives enterprises confidence that they can share what needs to be shared without exposing other data.
Data security is a big challenge. A KPMG survey found that the good news is providers say they’re better protected than they were until recently, although much more needs to be done. Cybersecurity Ventures predicts that providers are also spending on security, exceeding $65 billion in total from 2017 to 2021. It will be critical for that investment to be focused on data-level security.