Home Health Care How to manage patient data security and privacy demands in the digital...

How to manage patient data security and privacy demands in the digital health era

11
0
SHARE

Digital health is ushering in an exciting time for medicine with digital therapeutics offering new approaches to treating numerous ailments. While this is happening, health data breaches are rising globally, creating challenges for biopharma and medtech companies. These organizations hold more sensitive data today than historically, with higher potential risk. At stake are product advancements, company reputations and, potentially, patient outcomes.

As with many emerging industries, regional, state and national governments globally are developing new and sometimes conflicting privacy policies that empower patients with data access rights and create additional compliance responsibilities for biopharma and medical device companies. As companies consider building cloud-based platforms to manage data coming from new digital products and services, it is important to recognize the heightened security risk of collecting patients’ medical data, even if much of it is de-identified.

Here are the top challenges in protecting health data and how to solve them:

Managing the Data Firehose
In the next ten years, as many as 50 billion medical devices will send data to healthcare providers, patients and each other. The velocity, volume and variety of data is rapidly increasing. Clinical trials have leveraged health apps and connected health devices, with biopharma and medtech companies now beginning to collect information on a population-level. Data flow is exploding from hundreds of patients in a controlled setting to thousands or more in a commercial environment. Real-time data streams are also flowing from wearables, like heart rate monitors and blood pressure devices.

Rapidly increasing amounts of patient data held by biopharma and medtech companies increase their exposure to health data breaches. As healthcare moves beyond traditional, controlled settings, and into more homes with remote patient monitoring, that risk is compounded.

Beyond an increase in volume, the variety of data being captured needs consideration. Heart rate, blood pressure, A1c levels, audio and video are all currently being captured, with more on the horizon, each requiring different security considerations.

Healthcare can be a Security Minefield
The average cost of a health data breach globally is $406 per record, the highest of any industry. Further, the number of patient records exposed in the United States nearly tripled between 2017 and 2018 to 15 million patient records. Just over halfway through 2019, that figure has skyrocketed to around 25 million patient records breached. Keeping personal health information (PHI) safe becomes more challenging as device settings expand to connected health devices in homes, workplaces and public spaces.

When most people think of security breaches, they picture outside ransomware attacks like the WannaCry attacks that have hit around 40% of healthcare delivery organizations in the past six months, according to Armis. Security, however, is not just protecting against the external hacker: 28% of breaches start internally. Medtech company Zoll, for instance, notified more than 270,000 patients that their PHI was exposed after an error occurred during a server migration. Understanding current workflows and developing internal processes to address potential leaks is critically important.

A recent CHIME-KLAS survey of CIOs, CTOs and CISOs at healthcare provider organizations found that 18 percent had medical devices that were impacted by malware or ransomware during the previous 18 months. Overall, 96 percent of respondents pointed to medical device manufacturer-related factors as a root cause of the medical device security issues.

Since 2015, the FDA has issued public warnings about cybersecurity vulnerabilities in medical devices that “allow unauthorized users to remotely access, control, and issue commands to compromised devices,” which could lead to “severe patient harm.” A joint alert by the FDA and Department of Homeland Security in March 2019 addressed a critical vulnerability found in thousands of defibrillators that could allow a hacker to remotely control the implanted devices. This illustrates this potential harm at stake from data breaches.

While medical device manufacturers are responsible for assessing product vulnerabilities and implementing appropriate risk mitigation measures, regulators continue to issue new cybersecurity guidance as medical devices increasingly leverage connectivity and analytics. Changing technologies and regulations make it difficult for companies to stay current.

Building Safe and Scalable Strategies
Digital technology has helped healthcare become a larger part of our daily routine. With this expansion, a blend of the right knowledge, processes, and tools needs to be in place to protect sensitive data. These include:

  • Establishing proper internal procedures and training to close any internal gap that could permit the 28% of data breaches mentioned earlier.
  • Ensuring systems, products and teams are all compliant with evolving regulations. The creation of the HITRUST Common Security Framework helps as it harmonizes various international standards and regulations into one set of baseline security controls. This framework is becoming the standard certification for companies responsible for PHI.
  • Building a technical foundation devoted to complying with evolving privacy laws and security threats to avoid the potential patient harm, financial penalties, not to mention bad publicity that can result from a breach.
  • Placing all Patient Identifiable Information (PII) in a separate cloud environment from the cloud environment that hosts de-identified PHI data where operations are executed for medtech and biopharma products. Additionally, it ensures no multi-tenancy across product cloud environments.
  • Delivering continuous training across the organization and ensuring monitoring by a team of privacy and security experts.

Maintaining a homegrown digital health platform that fits these requirements demands significant investment. Like other business areas where outside expertise is more feasible than acquiring everything in-house, such as ERP systems, the heavy-lift involved in creating a properly secured platform will lead some companies to leverage a technology partner that can manage their end-to-end digital health needs. This frees up key resources to focus on the core business of creating more effective devices and therapies.

Digitization is transforming the healthcare industry. The proper risk mitigation framework will ensure continued progress without delays from unfortunate, and potentially preventable, security and privacy breaches.

Picture: David Tran, Getty Images

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here

7 − 4 =