Data privacy of patients is a significant piece of the healthcare technology pie, that is increasingly getting threatened by cyberattacks globally. Outdated information systems are especially susceptible to these online attacks. In the past, healthcare providers often did not allocate sufficient resources to battle this threat. But with them realising the high cost of data breaches, data protection has assumed greater importance especially with the fast growth of telemedicine.
With modern medicine employing technology in a big way, more points of attack have opened up. Patient data isn’t stored on medical devices but the servers do store information recorded by them. Any attack on these servers can be critical and can seriously impact a patient’s health records.
Data Privacy and its Significance
With digitisation growing rapidly, especially after the pandemic, cyberattacks have become more commonplace. According to an IBM report released in 2021, healthcare data breaches cost the most at $9.23 million per incident – a $2 million over the previous year. Data breaches were most prevalent in industries like retail, hospitality, consumer manufacturing apart from healthcare during the pandemic period.
Confidentiality of Protected Health Information has been compromised to a large extent with healthcare providers using common communication tools for consultations. Most of these apps do not enjoy the safeguards to protect sensitive health information and is not HIPAA compliant. Healthcare organizations may use such apps to communicate basic information or de-identified PHI, but to maintain HIPAA compliance, PHI cannot be sent using such messaging tools.
The cyber attackers can employ phishing, wherein links or attachments in emails, social media or text messages can infect the computer systems with malware. This can then spread over the clinical network, thus paralysing the whole system and can severely impact surgeries and life support mechanisms.
Rules and Regulations
The most prominent regulation in the healthcare industry is the Health Insurance Portability and Accountability ACT (HIPAA). Enacted in the United States in 1996, the Act was updated many times over in the past to ensure high standards of data privacy. The Act sets the benchmark for security requirements of Protected Health Information (PHI) and the entire world looks up to it for guidance and compliance HIPAA laws are a series of federal regulatory standards that outline the lawful use and disclosure of protected health information in the US. Anyone who deals with patient information in the US is required to implement security measures that meet HIPAA standards and guidelines, which are continuously updated.
HIPAA norms require healthcare providers to have a workable data protection strategy, for instance. Private information of patients has to be secured by healthcare providers through access control. HIPAA guidelines state that ePHI for encryption and decryption must be predefined. It says that cryptographic techniques have to be selected based on reasonable necessity and appropriateness to prevent unauthorized access to data.
Setting up admin controls to make sure only the right people get to deal with data, educating employees about data privacy steps, apply security patches, securing PHI records and encrypting data are some of the common methods to maintain data privacy.
Patient data in remote healthcare providers can be linked to a centralised database. This may include audio and video interactions between patients and doctors along with all the other details of the patient. The information stored can be accessed through web-based interfaces or mobile apps. Patient confidentiality can be ensured through a series of encryptions and robust access control. Even screen sharing is done in the form of encrypted screen capture.
While ensuring access control, personnel training is also crucial. Quality training for healthcare employees in data protection can go a long way in securing the systems. This would enable them to recognise phishing emails and help to know the value of back-up data. Losing valuable patient information can be a nightmare.
Healthcare organizations need to properly safeguard audit logs and audit trails by putting in place audit control measures to prevent hackers and malicious insiders from creating a potential data breach. Healthcare providers can formulate a cyber-security framework that charts an incident response mechanism clearly defining the responsibilities and revisit it often to make necessary changes.
Data ownership, accessibility and integrity
The modern medical practice, especially in the case of virtual healthcare, is about giving patients complete freedom to access to own private healthcare data. This can help in patients actively contributing to the treatment schedule, rather than remain mute spectators. While all other stakeholders are custodians of the patient data, the owner is ultimately the patient.
Various documents are generated by the custodians (read doctors, hospitals, clinics, labs, digital health companies etc). Usually, the patient does not pay much attention to these documents until required next time.
To address this issue, as part of Ayushman Bharat Digital Mission (ABDM), the Government of India is introducing mechanisms to store all data centrally. It is also providing Ayushman Bharat Health Account (ABHA), a health ID, developed to allow one to easily share data such as health and diagnostic records with the healthcare providers. This is a great initiative that ensures data integrity and accessibility. All custodians will need to submit health data to this central repository, giving the patient the freedom to own the data and provide access to it whenever required.