The healthcare industry is facing some big challenges right now when it comes to data protection. The staff at MedStar Health, a network of hospitals and clinics in Washington DC, was recently forced to go offline and back to paper charts to record data when computer systems were hacked. And as TechRepublic has previously reported, 110 million Americans had their health data security compromised in hacks in 2015. IoT connected healthcare devices pose a particular challenge since this is such a new and rapidly changing area of focus for companies.
We talked with John Barco, VP of Product from security software maker ForgeRock, Sven Junkergard, CTO of Zephyr Health and Lidia Fonseca, CIO of Quest Diagnostics and asked them about best security practices when dealing with users' health data. Here are some takeaways:
1. Weigh the costs of collecting data vs. potential benefit to users.
"Data collection should be driven by the same principles as the overall design process," said Junkergard. "There are many reasons to collect data but at the end of the day, if they cannot be linked back to how the patient benefits, you should question why that data is being collected. Companies that are focused on a patient-centric approach are in fact doing this the best."
2. Know users' patterns, and have security measures in place if suspicious action is detected:
"It is no longer sufficient to simply authenticate and authorize users," said Barco. "Healthcare organizations should be looking for technologies that enable continuous security for connected users, things, and cloud services. It is not just a matter of credentials; it is a matter of circumstance. Does the patient, doctor, nurse, or device usually log in from Thailand? Do they usually log in from a desktop computer? What time does the login usually occur? What kind of data do they usually access? There are additional ways to authenticate the legitimacy of the user's identity and their access rights, whether with text codes, emails, security questions, or biometrics. If a suspicious action is detected, for example, a user moves from a protected network at the hospital to an unprotected network at the nearby coffee shop, you want to be able to apply step-up authentication and require further authorization for the session to proceed.
3. Be proactive and prepared for change:
Junkergard gave these two security management tips:
1. Ensure end to end secure management of the data. The days of seeing some aspects of the data transmission chain as inherently safe and not requiring any particular attention to data security are long gone. For each step, define what is necessary and appropriate. It will likely vary.
2. Be prepared to change as the environment around you changes. It is likely that compliance requirements and standards will evolve throughout the life-cycle of a device.
4. Take a look at security practices beyond what's covered by HIPAA.
"There are parts of the patient privacy area that are well defined and standard practice today such as some of the requirements associated with HIPAA," said Junkergard. "In other areas, going through a standard requirements definition phase where you define actors, roles and use-cases generally drive data access and patient privacy requirements. If that kind of design aspect is not already part of your existing process, I am a big believer in bringing in the right type of expertise that has gone through this process previously. Being proactive rather than reactive as it relates to anything security and privacy related tends to pay huge dividends down the line."
5. Give users control over who can access their data, for how long and under what conditions.
Traditionally, the medical world hasn't been quick to give patients access to their own health records, but Barco said that needs to change with IoT devices. "End-user or patient consent is crucial here. Healthcare providers need to seek out technologies that enable them to give patients control over their health data with user-managed access," he said. "For example, think about all the data relationships surrounding in-home patient care, the number of people getting access to patient data from wearables such as COPD patches, heart monitoring systems etc...Not everyone needs the same access to that data. A caregiver may only need view only access and only for a month whereas the doctor could have access to download the data. A third-party may request access and you, as the patient should determine whether or not to grant access. And because this data is personal, whoever is requesting access should prove whom they are with additional identity verification, thereby ensuring greater security."
6. Use good security practices as a jumping off point for innovation
You've probably heard of Quest Diagnostics if you've ever had any kind of medical lab work done. They collect almost 500,000 samples for testing each day. Quest isn't involved in the IoT space, but has made the leap from just being a lab test provider to a data analytics company as well. Quest's informatics branch mines public health trends from de-identified lab test results, and the company has partnered with Inovalon, an analytics company, to create decision making software for doctors, called Data Diagnostics, based on the huge amount of data gathered from lab test results. "Our move into analytics to a large degree builds on our existing capabilities and protocols for data security," said Fonseca. "Good data security procedures, whether for mobile devices or other platforms, foster the flexibility to accommodate new technologies."
Healthcare IT's battle to keep sensitive data safe
Cybersecurity professionals: The healthcare industry needs you
Why healthcare is a prime target for hackers, and how to treat the problem
4 vital elements in a robust healthcare IT security strategy
Poor security left Anthem customer records exposed
Amy Talbott is a former associate editor at TechRepublic.