Compliance with a healthcare-specific data security framework reduces cyber risks, while certification establishes trust between players.
Cybercrime against the healthcare industry is rampant. During last year’s largest single data breach, the records of 79 million clients were stolen from a US health insurer. The current year saw many incidents as well, including a large number of high-profile ransomware attacks, with hospitals being targeted for payments in bitcoins. Why are there so many cyber attacks in the sector and what can be done to improve security and trust?.
Healthcare IT market is growing around new models
Information technology increasingly supports doctors and patients to improve healthcare delivery. The administrative backbone in this process is the electronic health record (EHR), where all patient information is stored. The information in the EHR is also critical for the large ecosystem of stakeholders that support healthcare delivery. Hospital organisations, health insurers, researchers and health authorities leverage the same pool of data. Cloud technology makes it possible that the records are managed, stored and accessed anywhere in the world at any time. It has also enabled outsourcing to BPO vendors in India and other countries across the globe, a cost-efficient solution for healthcare organisations that want to focus on their core business. Leading vendors include Accenture, Cognizant, Infosys, TCS and Xerox. The global healthcare BPO market is predicted to grow at a CAGR of more than 10% in the next five years to reach $270 billion in 2021, mainly driven by the US healthcare market.
Potential costs of cybercrime are very high
While sharing patient data is key to better healthcare outcomes, patient data are also very much sought after by cybercriminals. According to a recent study by Symantec, stolen patient data can fetch up to 50 times more than a social security number or a credit card number in the black market, because a patient’s EHR contains data that can be used for multiple fraud purposes. That is why cybercrime in the healthcare sector is widespread. A study from the Ponemon Institute found that nearly 90% of all healthcare organisations suffered from a data breach in the past two years. To make matters worse for the industry, the financial consequences of stolen patient data are relatively high, as a person’s medical records are not as easily replaced as a credit card number. Ponemon Institute estimates that the total costs of data breaches for the healthcare industry could be as much as $6.2 billion per year.
Healthcare firms look beyond regulation for trust
Large incidents have put the industry on alert. Regulation and standards are in place to increase IT security. In the US, the Health Insurance Portability and Accountability Act (HIPAA) includes national standards for electronic healthcare transactions and security. The Privacy Rule and the Security Rule were added to protect the confidentiality, integrity and availability of electronic protected health information. Furthermore, the Hitech Act, implemented to support meaningful use of EHRs, strengthens and reinforces security standards of HIPAA.
Yet despite the sense of urgency and the government regulation, the healthcare sector ranks very low in security infrastructure, and security professionals lack confidence in their ability to mitigate risks. That is why the healthcare sector is aiming to set higher standards in data security.
Common security framework to establish trust
With the healthcare industry becoming a major target for cybercriminals, the proliferation of EHRs has created a data-heavy environment, while networks comprising thousands of providers continue to present an enormous attack surface for potential data breaches. Also, a large percentage of healthcare enterprises are likely to be impacted by phishing schemes as lack of effective security awareness training and employee security awareness programmes often compounds the danger of increased attempts, resulting in more security incidents.
HIPAA is very much compliance-oriented and healthcare organisations find that compliance with regulation alone is no longer sufficient. In fact, the Hitrust Alliance, supported by some of the major healthcare IT industry leaders, has developed a common security framework for the healthcare sector. It sets security controls and requirements based on multiple regulations and standards, including HIPAA and Hitech, but also incorporates standards from other industries. The framework has a prescriptive and risk-based character, and is used as foundation for data security assessments.
Hitrust—in collaboration with public and private healthcare technology, privacy and information security leaders—has championed programmes instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use. Hitrust has a common security framework (CSF) that can be used by an organisation within or outside the healthcare industry that creates, accesses, stores or exchanges personal health and financial information. It is a framework that organisations consult, yet few actually use for attestation. In addition to CSF, Hitrust programmes also include an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally-recognised cyber Information Sharing and Analysis Organisation (ISAO) and supporting initiatives.
Healthcare organisations apply these standards to themselves, but increasingly demand from their IT vendors that they uphold the same standards. To facilitate this, certification by independent third parties (assessors) will provide an assurance that controls are in place. Vendors can evidence that they are a trusted partner for the healthcare sector. In fact, in a global setting, international certification is a good way to take away concerns about differences in legislation between countries and establish trust. For India’s healthcare BPO providers, international certification is a critical business factor to be able to claim their stake in the growing global and US medical process outsourcing industry.
The article first appeared in Financial Express on 17th January.