Today we are back with a topic around healthcare security landscape and how this has been changing over a period of last 2 decades. As we all know US government formed a law named HIPAA (Health Insurance Portability and Accountability Act) back in August 1996 to protect the healthcare data from being misused. While the initial intent of the law was to ensure improvement in the portability and accountability of data for employees switching jobs, it also ensured protection against waste, fraud and abuse in health insurance and delivery of care. Gradually as we all know, HIPAA brought different rules namely
· Security rule
· Privacy rule
· Breach Notification Rule
· Omnibus Final Rule
While we are not covering the details of all rules, we are covering how the digital health landscape has consistently evolved to meet these requirements. Since 2009, Healthcare digital app players had to adhere to some of the standardized set of requirements driven by HITECH (Health Information Technology for Economic and Clinical Health Act). HITECH compelled and pushed healthcare covered entities to implement Electronic Health Records (EHRs) in alignment with the Meaningful Use incentive program, resulting majority of app players adhering to the needs of the Meaningful Use certification criteria.
What info is protected?
As we know e-PHI (electronic Protected Health Information) is the information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Examples of Individually identifiable health information includes demographic data, that relates to:
· the individual’s past, present or future physical or mental health or condition
· the provision of health care to the individual, or
· the past, present, or future payment for the provision of health care to the individual, and
that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
Where does an organization starts?
While dealing with HIPAA, organizations must take a holistic approach of their data journey. Once you have established your security and privacy office, you must first assess how e-PHI data is getting generated, transmitted and stored in systems of organization’s control. Whether you are a covered entity or a Business Associate serving a covered entity, one must ensure the chain of trust is maintained across downstream systems. Right from training the people in the organization to periodic risk assessments against the drafted procedures and policies, the CISO office must ensure adherence to all the rules.
Building Apps that are compliant:
While building apps that will host ePHIs, one must carefully discover and design the security architecture in adherence to the principles of Secure by Design Development approach. So, whether you are on premise or on cloud, one must carefully implement different security best practices to gain higher security posture on your cloud environments. For ex. AWS introduced Security by Design (SbD) which is a security assurance approach that enables customers to formalize AWS account design, automate security controls, and streamline auditing.
At the minimum, one must carefully consider your different infra security needs around –
· Identity and Access Management
· Data Encryptions at rest and at transit
· Use of VPN and different subnets
· Use of Web Application Firewalls
· Use of monitoring tools
· Data resiliency
· Use of threat detection tools that are just beyond Antivirus
Whether you are on AWS or Azure, these are the basic requirements one must adhere to.
Rise of Privacy Regulations
Besides HIPAA, recent developments in the Privacy Space such as the CCPA (California Consumer Privacy Act) /CPRA (California Privacy Right Acts), CDPA (Copyrights Designs and Patents Act), or the GDPR (General Data Protection Regulation) are having a two-fold effect in both increasing awareness and also enhancing Consumers Privacy rights.
Over the years the primary attacks on healthcare systems have morphed into Data Breaches, or Ransomware attacks. Attackers with malicious intent use sophisticated Ransomware and blackmail healthcare companies to pay large sum of money. Until a few years ago, companies having dedicated Ransomware Negotiators or First responders to tackle this nuisance was unheard of, however they are common in 2021.
All security vendors, top attorneys have a dedicated team of Ransomware Negotiators and First Responders. This also led to rise of some of the advanced threat detection and emerging technologies.
Rise of Healthcare Blockchain
By now it is evident that the Healthcare Industry faces a two-fold problem. Data Breaches where attackers publish confidential Patient Information or Health Records, and the second where attackers hold Patient Information or Health records to Ransom using malicious software. If we look at it, both the problems can be interpreted as same: keeping Patient Healthcare Records both Accessible and Secure.
This is where the Healthcare Blockchain will be very handy. Many companies are emerging into this space recently where they will provide the Healthcare Blockchain to store Patient Health Records.
The blockchain is a decentralized, encrypted storage where only those with the right key are able to access their own records. The blockchain will bypass traditional attacks of malware or ransomware against it keeping Patient information safe & secure.
The Healthcare Blockchain aims at keeping a decentralized ledger of Patient's healthcare records. These records would be kept on a blockchain. Like everything on the blockchain it would be an encrypted record which can only be accessed by the Owner of that record.
Digital Health News that are making headlines in this space –
Blockchain-based healthcare platform to provide decentralized health data management services to Mongolian insurance provider
MAPay to Implement Blockchain-based Solutions on Algorand to Reduce Healthcare Cost in Bermuda
UPS Healthcare Partners with THREAD to Deliver First Decentralized Clinical Trial Platform
Cloud security firm Panther Labs raises fresh funds at $1.4 billion valuation
HHS launches website for healthcare cybersecurity resources
HITRUST to Address Market Gaps in Reliability and Challenges in the Exchange of Security and Privacy Assessments
Playback Health, Northwell Health team up on digital front door initiative and other digital health deals
Let us know what do you think of the content. If you have more similar news and would like to share your story on Digital Health, please feel free to write at email@example.com.
Health Viva Team