The challenges of securing healthcare data

From July, one million Australians will have automatically had their personal health information uploaded onto the internet as the federal government rolls out its $1 billion e-health record system, My Health Record. This is on top of the already 2.7 million Australians currently using the system.

Digitising patient health records is not a novel idea. In countries such as Canada and the United States, electronic medical records (EMR) systems have achieved a much higher rate of adoption.

In fact, by 2014, three out of four US hospitals had adopted at least a basic EMR system. Since 2015 there have been financial penalties for US practitioners who have not converted to an electronic health record system.

Recently the NSW Government also announced its commitment to complete the rollout of electronic healthcare records as part of its e-health policy.

According to the Associate Professor of the Australian Institute of Health Innovation, Farah Magrabi, 97% of general practitioners now use electronic records, with more than 80% of care delivery in NSW hospitals supported by electronic records.

One of the challenges with this transition in Australia will be confronting new security obstacles and risks.

Healthcare data attacks on the rise

Because IT systems can often be out of date in the healthcare industry compared to other sectors such as finance, the potential for medical data to be stolen is higher, as are the chances of being hacked — due to the high value of healthcare records.

Protected health information (PHI) is now frequently used by hackers to buy medical equipment, buy drugs or commit healthcare fraud. Often this kind of breach will go undetected for months, unlike when a person has their credit card stolen.

The healthcare sector now experiences almost half of all reported major data breaches.

While hackers find PHI increasingly lucrative due to the nature of the data that they can steal, the threat surface is also expanding due to increasing use of devices within the medical industry.

Workforce mobility in particular is complicating the efforts to keep data secure, with 33% of healthcare employees working outside of the office at least once a week. In fact, 39% of healthcare security incidents are caused by stolen or misplaced endpoints.

PHI is becoming increasingly attractive to cybercriminals. In fact, health records typically fetch around 10–20 times more than credit card information on the black market.

According to Forrester, a single health record can sell for US$20 on the black market, while a complete patient dossier with driver’s licence health insurance information and other sensitive data can sell for US$500. In addition, the average profit per stolen health record is US$20,000, compared to just US$2000 for regular identity theft.

Protecting healthcare data

Data and device encryption is the first line of defence, but it is not the final cure. Most full disk encryption programs are vulnerable to cold boot attacks and all software-based encryption systems are vulnerable to various side channel attacks.

However, encryption can be bolstered by a persistent endpoint security solution. This means that the IT team can always be in control, even if a device is off the network or in the hands of an unauthorised user.

IT administrators can receive encryption status reports, monitor potentially suspicious devices and remotely invoke pre-emptive or reactive security measures such as device freeze, data delete or data retrieval.

Here are six key tips for healthcare organisations to help better manage their data:

1. Encrypt PHI that is stored on portable devices including laptops, tablets and smartphones.
2. Choose a persistent security and management software agent that will allow you to maintain a connection with a device regardless of user or location.
3. Run encryption reports to prove these solutions were in place and properly working.
4. Ensure your security software allows you to perform remote actions on the device such as data delete, data retrieval, device freeze and forensic investigations in the case of a security incident.
5. Review privacy and security policies and procedures and stay up to date with regulatory compliance requirements.
6. Learn from other organisations that have experienced a data breach — review these scenarios and make relevant adjustments to ensure you don’t suffer the same fate.