If you wanted to put all the pieces of a person’s profile together, health care data would likely be the most important piece of the personally identifiable information (PII) puzzle. It’s powerful. A heartbeat can open a door. This data is the most important type related to a person, the crown jewel of PII data we hold and process. That is why — at least from a micro perspective — it is your own personal ‘national security’ data and should be protected as such.
Why do we call it ‘national security?’ The reason is simple: health care data provides a level of insight into a person that is otherwise secret. There is a type of data richness you cannot get from any other type of PII. Health care data is much more in-depth than any other types of data, such as consumer habits.
That data richness allows the data holder to offer a level of personalization that cannot be achieved through cookies, GPS location or purchasing habits. Indeed, the future of medicine may be defined by hyper-personalized care based on health care data. At the same time, this hyper-personalization means that if this data falls into the wrong hands, the risk goes up fast.
Health care data can be used to harm you. And as systems evolve, that harm could go well beyond simple financial fraud and identity theft. Instead, that harm can be used to target you specifically and manipulate you based on your health. The ramifications to the individual could be catastrophic, hence the heightened level of diligence and responsibility when handling this type of data.
Why Personal Information Security in Health Care is Difficult to Achieve
If we, as individuals, had complete control over our PII, especially our health care data, perhaps we could do more to protect it. But, industry and reality dictate otherwise. People do not have that control, meaning that industry needs to play a larger role. Offering identity theft compensation may work in 2021, but when people begin to get micro-targeted based on medical conditions, that approach will no longer cut it. The time to start addressing those risks is now.
Speaking Plainly About Health Care Data
To begin, security experts in the health care industry need to operate by using some of the same rules all others do. Namely, we need to be able to speak a common language with decision-makers and operators. To begin, information security professionals in the health care industry would be best served if they can speak plainly on the following issues:
- Needs of patients: speed of service versus securing information
- Needs of staff: medical needs versus security needs
- Management duties: providing quality care versus fiduciary needs
- Innovation challenges: staying ahead versus becoming an attractive target
- Budgetary restraints: health care costs versus security costs, both of which are on the rise
- Ease of functionality: mobile and internet of things convenience versus larger attack surface
Speaking plainly — avoiding jargon — will help the enterprise to find their own right balances on these issues, and others related to them. Is there some perfect or magical balance between these competing issues? No, there is not. Therefore, just like all other industries, health care security experts and decision-makers must take a risk management approach to figure out what is right for them. There’s also one special thing to take into account for this industry. Health care-related PII security issues and risks can be more costly, even more so going into the future.
Why? It’s for reasons we talked about above. Namely, the data richness offered can be the ‘final puzzle piece’ which results in the ability to micro-target a person. Think about it: take all your other data that you have, then overlay health care data. You’re going to get about as an accurate picture of somebody that you can get. Short of getting in their head, this is about as good — or scary — as it’s going to get.
Are Health Care Data Security Issues Unique?
From a strictly data security perspective, the health care industry faces all types of issues you’d see in other industries. These include:
- Fraud and health care data breaches
- Indirect financial loss
- Impact on external relations and reputation
- Disclosure rules
- Privacy breaches
- Employee negligence
- All types of criminal and national state actors
- Malicious insiders
- Process and system failures
- Fatigue, in the case of both security and medical professionals
- Third-party challenges
- Acting as a vector for another type of theft (e.g. attack a health care facility to get financial or insurance claim information)
This is only a partial list and, as noted, other industries face these issues. You can begin to tailor it for the medical industry by overlaying the following risk considerations:
- Organizational risk
- Clinical risk
- Financial risk
- Regularly risk
Handling PII needs to be done carefully for a simple, yet sometimes overlooked issue: connectivity.
Connected to Everything and Connecting Everything
Not long ago, this type of data rarely left a doctor’s office or hospital. Today though, it’s connected far outside the office. For example, patients, doctors and other medical professionals may now want to access data from mobile devices.
Think about it: online and mobile banking has been around for a while and is used by almost everyone. The same cannot be said about health care data, in part because it was not feasible before. Conducting a transaction requires a few kilobytes of data, whereas viewing medical imagery requires some horsepower behind your bandwidth and storage.
Questions to Answer About Health Care Data
This change comes with a lot of benefits. Telehealth and remote medicine offerings have more options now, allowing services to be provided to people that may have been unable to access them before. With that said, those benefits come with hidden costs. Consider these:
- Who owns and operates the platforms you use to transmit health care data?
- Do you know which networks the data traverses on and resides on? Does that data cross any national borders? What laws are the data subject to?
- Have you determined the actual ‘value’ of your health care records? It may be much greater than you think.
These are challenges that many enterprises face. But, the data richness of each record poses an added challenge to the health care industry.
From a macro perspective, just one health care data breach could result in a lot of problems. Privacy issues, network issues, disclosure rules, financial and insurance fraud, reputation management issues, class action suits and regulatory oversight are all possible. And that only looks at the issue from an organizational perspective. What about this micro-targeting issue we mentioned above?
Big data and artificial intelligence now allow you to overlay this health care data with other data points. The result is a much more complete profile of a person, allowing you to pinpoint them for both good and bad. That’s the downside of all this.
Health Care Data Will Be Targeted: Make it Hard to Get
One of the best ways to discourage attackers is by throwing up roadblocks for them. Unless you are dealing with a nation-state actor or a persistent threat that really wants your data, you can at least thwart the day-to-day threat actors that will drain your resources. Below are some tactics that can help you protect that very valuable personal health care data.
Segment, Segment and Segment Some More
This tactic will come at a cost, both financial and operational. But you need to ask yourself: are you really willing to put all the eggs in one basket and take the chance? This may be one of those cases where the cost in time and money are worth it, even more so in the long term.
Cold Storage is Like a Warm Blanket
Rule of thumb: if it doesn’t need to be connected to a network, get it off the network. Data is pretty darn hard to steal when it is not connected to anything.
Use Health Care Encryption Standards and Frameworks
The industry is heavily driven by privacy concerns, which can be a boon. Privacy and security often complement each other. There are quite a few tools and frameworks out there, such as those from NIST and HITRUST, which help you develop a program and institute baseline requirements for items such as encryption. If you’re not encrypting all along the way, you’re making it far too easy for the bad people.
Keep Up With Legislation and Technology Rules
As noted, the health care industry is heavily driven by privacy concerns. There is likely a piece of legislation somewhere that is a driving force. For example, the Electronic Visit Verification mandate that came out of the 21st Century Cures Act requires that a check-in and check-out be conducted with a GPS-equipped device. May seem simple enough, but recognize now that you may have just added another piece of PII to a person’s profile, one that you need to protect.
Use the Cyber Range
One of the old emergency management rules: you don’t have a plan until you’ve tested the plan. With your data being so important, don’t be afraid to test your landscape by playing capture the flag. If you’ve done everything listed above and are still having your flag captured, you’re likely missing the mark (or playing against a highly refined and dominant threat actor). Remember, data richness makes you a target, so make yourself a hard target to catch.
Avoid Social Engineering Traps
Remember, people in the health care industry go through some rough times, as we’ve recently seen. That also goes for cybersecurity experts. In other words, both these stakeholders may be suffering from burnout. Do not believe for a moment that a hostile actor will play nice just because the team is feeling overwhelmed. In fact, that’s probably prime time for them to employ some social engineering. Therefore, it is not enough just to train up your staff and operators — such as doctors, nurses and technicians — it is important they get some time away so they don’t make that mistake of clicking the wrong link.
Treat Health Care Data Like Yours
When in doubt, if you’re keeping somebody else’s health care data, treat it like it’s your own. If you really focus on that feeling, chances are you’ll handle that data more responsibly. It’ll be like protecting your own little piece of personal national security.