Healthcare is one of the highest growth sectors in the world. Healthcare organisations (HCOs) have been expanding their coverage and services rapidly with the introduction of new technologies, and increased expenditure from corporates and individuals.
Today, HCOs include e-pharmacies, home healthcare services, online consultations, health insurance, MedTech and pharmaceuticals, along with the traditional organisations like hospitals – multi and single specialty – and diagnostic centres.
HCOs handle a wide range of personally identifiable information (PII) and sensitive personal information), including electronic medical records (EMRs), electronic health records (EHRs), electronic patient health information (ePHI), clinical research patient information, clinical trial records, birthdates, current/past addresses and medical coverage information. The recent trend towards digitising these information has brought an enormous change in the healthcare industry.
Advancements in digital and medical technologies allow healthcare providers to access patient data in real time and by causing minimal inconvenience to patients. Data today is not just restricted within the health-industry boundaries but also shared with third parties for processing, storage and business relations.
Maintaining the confidentiality of patient data is a challenge. Such data is a lucrative target for cybercriminals because financial information like credit card numbers, CVV or PIN can be readily changed, but data such as EMR, EHR, national identification numbers, birthdates, current/past addresses and information about next of kin are permanent and sensitive in nature, and can be exploited over a long period of time for crimes such as identity theft.
Impact of digitisation on the healthcare industry
Digital and medical technologies have greatly improved operational efficiency and enhanced the overall experience of both healthcare professionals and patients. However, protecting personal and sensitive data has also become a challenge for HCOs:
· Introduction of Internet of Medical Things (IoMT): Advanced clinical-grade devices which connect to healthcare IT systems directly are attractive targets for hackers as they expand the attack surface of an increasingly connected health ecosystem.
· Mobile phones as a source of security breaches: Patients use their mobiles to access remote healthcare services such as medical consultations etc., further increasing the attack surface.
· Legacy technology: Unpatched, end-of-support systems connected to healthcare IT networks – from MRI and X-ray machines to a host of smaller devices – are vulnerable to cyberattacks.
· Lack of privacy by design: New digital health technologies lacking ‘privacy by design’ controls are often being exploited with significant security and privacy ramifications to patient data.
The data deluge due to the COVID-19 pandemic has further compounded the problem.
Regulations for data protection in healthcare
At present, India does not have any specific data protection law in place around the privacy and security of healthcare data. However, there has been a lot of progress with the introduction of ‘The Personal Data Protection Bill, 2019’ and the ‘Digital Information Security in Healthcare Act’ (DISHA), and both of them are likely to be operationalised in the near future.
Key focus areas for HCOs
HCOs must ensure the secure handling of personal data to promote a culture of trust and transparency with patients and other stakeholders, in addition to meeting regulatory requirements. With the constantly changing technology and services landscape, and the data deluge around the pandemic, the following practices can enable HCOs to stay on top of their privacy risks:
· Protecting crown jewels: HCOs should identify both structured and unstructured personal data that is stored and processed. They should understand the nature of personal data and its life cycle from generation, storage, transit and destruction, and ensure appropriate safeguards at each stage of the life cycle.
· Focusing on security and privacy hygiene: Unpatched, end-of-life and end-of-support systems make the ecosystem vulnerable. It provides an easy route for unauthorised data access and data breaches. HCOs should ensure that their systems and applications are upgraded and patched in a timely manner.
· Strengthening data security: HCOs should implement multiple layers of protection, such as access control, encryption of data wherever possible and database security, as encryption goes a long way to prevent unauthorised use.
· Enhancing detection and prevention mechanisms: Tools and solutions should be deployed to provide enhanced capabilities to detect and prevent data breaches.
· Introducing cyber resiliency: Cyber-resilient technologies and processes should be inducted and response plans which are aligned to thwart and respond to changing threat landscapes should be implemented.
· Enhancing awareness: HCOs should ensure that all users are risk-aware and understand their responsibilities towards protecting personal and sensitive data. They should also promote awareness amongst patients and customers as well.
Protecting sensitive personal data of individuals will help HCOs to continue building trust and loyalty, thereby gaining a distinct advantage in the marketplace.
The author is Partner & Leader – APAC Cyber & India Risk – Leader, PwC. Anirban Sengupta, Partner, Cybersecurity and Privacy, PwC India and Saurabh Kaushik, Director, Cybersecurity and Privacy, PwC India also contributed to the article