Securing Healthcare’s Digital Front Door
Chief Strategy Officer at ClearDATA, providing comprehensive cybersecurity solutions to make healthcare work better every single day.
The pandemic had a striking impact on the social, political and economic aspects of many countries. Despite the toll it’s taken on the healthcare system, this moment in history has spurred innovation. Advances in telehealth, digital pharmacy, remote patient monitoring and the rapid adoption of these kinds of digital health tools have provided meaningful patient impact and increased the interconnectivity among healthcare providers and their patients. Digital strategies that were expected to take 10 years to accomplish may now be compressed into three.
Since the pandemic changed the patient experience due to the inherent cost of physical contact, many healthcare organizations raced to create a “digital front door” whereby a patient could handle routine interactions such as finding a doctor, scheduling an appointment, paying a bill, renewing a medication, communicating with a primary care physician and navigating the health system itself. Spurred on by the 21st Century Cures Act’s regulatory requirements to enable interoperability and sharing of patient’s data with them from disparate systems, multiple platforms, clouds and systems are being interconnected to create a digital front door to the healthcare system.
These paradigm and operational shifts for hospitals, healthcare systems and health insurers, while valuable to patient experience, come with significant risk. The digital front door increases the healthcare stakeholder’s attack surface, thereby expanding its opportunities for breach and exposure of personal health information (PHI), which can not only trigger HIPAA and GDPR non-compliance fines for data mishandling but also shut down healthcare operations, impacting patient safety.
Just this year, CVS Health accidentally leaked more than 1 billion records through an unsecured database it was using in its “front door,” and hospital and healthcare center cyberattacks across the country have resulted in millions of dollars in ransomware losses.
In this new age, where healthcare organizations are building their digital front doors, moving into the cloud and extending their legacy technology footprints through partnerships with innovative third-party health apps, it’s paramount to consider security posture in these four areas in order to protect sensitive data in the cloud.
1. Ensure Your Healthcare Cloud Footprint Is Configured Securely And Is Continuously Monitored
A recent report from IBM indicates that 19% of data breaches result from technology teams failing to properly protect the assets found within their cloud infrastructure. These misconfigurations are typically human errors that take place in key settings of cloud components that store data and applications and increase the risk for malicious actors to access sensitive patient data. Healthcare digital front door technology should be configured on the cloud in alignment with privacy and security frameworks (e.g., HIPAA, GDPR, NIST) and done in an automated, continuous manner to address shortcomings in human error and the realities of software development to catch any potential compliance drift.
2. Fully Define And Document Your Attack Surface
The digital front door blurs the perimeter of an organization, which is especially complicated in a large healthcare organization with expansive data holdings. As a stakeholder, how confidently do you know where all of your highly sensitive PHI data is located in all of your systems? Recent news demonstrates unsecured PHI is highly lucrative to ransomware hackers. On average, healthcare organizations lose $7.13 million per data breach in ransom payments and revenue losses, the highest average total cost per data breach of any industry.
Access rights should be reviewed for those inside the organization as well as third-party partners and payers, and you should be able to monitor for anomalies — such as inappropriate access to health data. Consent management is also important, which aligns with GDPR and emerging U.S. policy for access rights to patient data.
3. Adopt A People-Centered Security Posture
Cybercriminals targeting healthcare do not view the world in terms of a network diagram. They seek out people. Consider the individual risk each user represents. A security solution should be employed that gives you visibility into who in your organization is being attacked, how they are being attacked and whether they fell victim to a phishing scam. A people-centric solution will tell you how your users are targeted, what data they have access to and whether they are prone to falling for attackers’ tricks.
4. Take A Zero Trust Approach To Remote Access And Third-Party Data Sharing
As digital front door platforms integrate with multiple third parties and vendors, and healthcare organizations store and process more data than ever before, there is both patient risk and compliance risk amplified across your tech stack. Additionally, traditional VPN technology just hasn’t kept up.
A healthcare organization should consider if it has the right capabilities to manage identity access across these platforms, including the right throttling mechanisms to control PHI flow, and adopt a zero trust solution to quickly and securely connect employees and outside business associates and patients to your data center and cloud.
This is especially important to consider with APIs. These are used heavily in integration with third-party digital health applications that extend functionality and integrate patients with a variety of healthcare service providers. Make sure all that is needed for your business model or use case is exposed through an API, exclusive of any data that ought not to be exposed. Also important: Seek to complete a HIPAA-mandated BAA, or business associate agreement, with your cloud services provider, as many will not guarantee HIPAA compliance without them.
The digital revolutionization of healthcare is here to stay, bringing with it great new possibilities to improve the patient and provider experience. As we adjust to the new era, successful digital front doors will take a privacy- and security-by-design approach to implementing digital tools from the start and will prioritize HIPAA and GDPR compliance at the forefront, safeguarding valuable PHI and reducing a healthcare organization’s security risk. When it comes time to reassess, re-architect, or replatform a digital front door solution you may already have in place, it is important to adopt these security postures to stay at the forefront of privacy, security and compliance best practices.