Source: HIPAA Journal
Keep your Healthcare applications secure with EasyHealth
With an average cost per patient of $429/419€ [1] in the event of a data breach, one does not need to make a lot of calculations to see how essential patient data security should be apart from the moralities.
What do I need to pay attention at? Can I just let someone else do it and not worry about it?
EasyHealth is your solution
- Why a managed storage service?
- The two EasyHealth solutions compared
- Data privacy issues in the public cloud
- Pricing
The problems with healthcare data
Healthcare data is of much value, and therefore a constant target for hacks. Just imagine the benefit for advertising or insurances, if companies would know about all the illnesses of a person. And especially how much people woud be willing to pay for a snake oil cure that promises instant relief.
Evil employers would benefit as well, being able to “kick out” ill or pregnant people in time.
Even though these are hopefully still science fiction scenarios, you can easily see why hackers target clinics and healthcare providers.
Let us look at some numbers:
2,550 data breaches have compromised over 189 million healthcare records in the last decade.
89% of healthcare providers have undergone a data breach.
Cyber threats are expected to hit $6 trillion in losses by 2021.
Reasons for breaches
Oftentimes the reasons for a databreach can be broken down into:
- Software that is not updated
- Servers that are not isolated (on-premise)
- Wrong usage of the public cloud
- Missing backups
- Bad networking setups
Usually clinics and healthcare providers focus their time and effort somewhere else, and end up just installing software once, never updating it. Same as your phone and computer updates, the clinic systems should be updated as well to patch new security leaks. There is a whole industry designed to discover new security leaks in applications and software, and sell them as “zero day exploits” to the highest bidder. Of course these leaks get “patched”(fixed), but if no one install the update, the well known exploit will always remain open for everyone to use.
Additionally, a lot of people do not implement the matching security measures when using the public cloud, leaving ports and machines open for everyone to access.
Legal challenges when storing patient data
Due to these breaches, both the US and EU have implemented strict laws regarding storage of healthcare data.
In the US, this protocol is called “HIPAA”, or “Health Insurance Portability and Accountability Act” in the longform.
In Germany and the EU, these specifications are divided into the general part called “GDPR” (The General Data Protection Regulation) and further laws defined by each state, like the “BayKrG” (Bayrisches Krankenhausgesetz).
Even though there are complex sections, they can be basically summarized for both as:
1. Encrypting data
- Data should always be encrypted both on the disk, as well as in transport (SSL)
2. Let users only see what is necessary
- A nurse should only see medical data she needs
- Someone from accounting should only see “numbers” etc.
3. Log who edited and saw what
- In case there is a breach or violation, you should be able to identify who accessed what
4. Be prepared to report a breach if it happened
- You are required by law to submit a report if a breach occurs, in a short amount of time including details that should be prepared beforehand
5. Physically secure servers
- Only authorized people should be able to access servers
- Logging who did what
6. User management system
- Automatically expire passwords after time x
- If an employee leaves the company, his credentials should automatically expire