LabCorp, Cass Regional Medical Center, East Ohio Regional Hospital, and Ohio Valley Medical Center. Hancock Health. Blue Springs Family Care. Allscripts. All were victims of ransomware attacks in 2018. Outside of the US, the Singapore Ministry of Health experienced a data breach of 1.5 million health records, including the Prime Minister's ePHI. According to the 2018 Verizon Data Breach Investigations Report (DBIR), ransomware attacks consist of almost 40% of attacks involving malicious intent. In healthcare, not all threats to data integrity are by lurking outsiders. The same report found that, exclusive to healthcare, over half of all breaches are by insiders, and many breaches are not deliberate. That was the case with Independence Blue Cross, where an employee accidently uploaded patient data to the public web, and it was exposed for three months. In other instances, misconfiguration--usually in databases--allows sensitive patient data to be accessible to crimes of opportunity.
Healthcare data, by its very nature, is lucrative. It contains full patient identifiers including social security numbers, financial information and pharmaceutical treatment authorizations. Mental health records with extremely personal exchanges could be accessed by total strangers. Some of this data may be purposed for sale on the dark web, but for the casual criminal, an off-the-shelf ransomware kit can be deployed in minutes. This results in halted operations, patients diverted to other facilities, inaccessible critical care records, and tarnished reputation. The total cost of a healthcare data breach is pegged at just over $400 per record.
Let's examine the characteristics of good IT data.
Data is accessible when it is needed, where it is needed, by the person who needs it.
Data is intact and accurate, reflecting precisely what it ought to record with no additions or deletions.
Data is protected and only those who need to see it, can.
In all instances of data compromise, one or all of these values were compromised. Because of the very nature of healthcare, being a high-touch, multi-record based field, there are a myriad of opportunities for any one of the three elements of data security to be jeopardized.
Hospitals and doctors' offices bustle with activity, and slipping through the cracks happens easier than it should. Auto locking doors, electronic badges or biometric keys, password protected everything, and radio-frequency ID'd equipment tracking are technology's answers to human foibles. Administrators pound away at situational protocols around phone calls, guest logs, and even organization of the nurses' station. In the attack on the Singapore Ministry of Health, it was a breached workstation that gave the attackers entry to the system. How an organization decides to train its staff to avoid social engineering attempts is highly individual, but it must be a priority, given the alarming statistic from the DBIR on the high ratio of improper insider actions. Even if not deliberate, employee actions are certainly not without consequences to the organization itself and the patients it is obligated to protect.
But in several of the attacks mentioned above, careless employees had nothing to do with data breaches or ransomware attacks. Known vulnerabilities of software or third-party applications left unpatched allow outsiders a way into wanted systems. Default usernames and passwords like - admin - and -test- are easy doors to open. Using default passwords is an especially well known vulnerability with medical devices and needs to be addressed as part of any security checkup.
Internet of Things-MD
Blood glucose monitors, pacemakers, and CPAP machines, as well as hundreds of other devices, all produce daily streams of data about their users. This data, when analyzed, offers information essential to the patient's well-being. Patients can engage in their own care by checking their smartphones for results on connected apps. Apps for blood glucose monitors learn a patient's norms and warn of possible blood sugar highs and lows, CPAP users see how many apneas they had each night and how long they used the machine, and even users of certain pacemakers can review how their daily activities affected their vitals when sending usage reports to their care providers.
Technical developments in the use of specialized medical devices and the exploding growth of the Internet of Things--Medical Devices (IoT-MD) make automatic uploads to cloud storage more the norm than the exception. When one considers the sheer amount in data in the wearables bucket, currently projected to more than double in the next two years, organizations lacking the ability to nimbly respond to storage demands have every reason to be concerned.
While there is currently some automation in alerting physicians or patients of alarming telemetry from wearable devices, the potential for growth in using machine learning to improve patient care is promising. Already, hospitals are deploying AI-powered applications to reduce readmission rates and increase accuracy in reading radiology images. This capability hinges on access to wide and deep data pools in order to develop algorithms that are unbiased and reliable.
And that is where there can be a bottleneck between possibility and practice. Not all patient data is neat and transmitted via bluetooth into easily parsed, actionable nuggets. The reality is that most medical data is messy, unstructured, and hard to use. Physicians' notes are in narrative form and require natural language processing (NLP) for broad use in AI software and practical application. Text mining can be used to detect patterns in unstructured data, but needs the power of NLP for semantic value. All of these applications have to have significant computing power when needed to run efficiently. Medical imaging, one of the most copious consumers of healthcare data storage, requires accurate DICOM tags not only so that picture archiving and communication systems (PACS) can retrieve data, but also so that automated image processing software can categorize and store the hundreds or thousands of images associated with a patient's file.
File Versioning as a Security Enhancement
Moving away from file hierarchies and block based storage, and into object based storage, is a natural next step for organizations positioning themselves to take advantage of emerging healthcare AI technology. Object based storage is built for the type of unstructured data so prevalent in healthcare. By relying upon descriptive tags for custom metadata, object storage provides the necessarily rich environment for machine learning to detect patterns and offer insights.
Besides contributing to an architecture that enables AI, using object based cloud storage provides data immutability. With object based storage, a record is never altered. Instead, a new object is created to reflect the change in content. This provides for omnipresent versioning, the ability to retain any and all changes to an object over time. By doing so, data integrity is virtually guaranteed. Considering the sensitive nature of personal health information and HIPAA compliance requirements, this quality is of utmost importance.
Other benefits to object based storage are that records, identified by their meta tags, are quickly accessible through a search application, available for analytics, and infinitely scalable. There is no need to pay for more storage than what is being used, so cost savings are possible compared to self-purchased servers that require floor space, maintenance, and overhead.
Data Security in the Cloud
Using the healthcare cloud is, in many ways, more secure than private, on-site servers. Physical access is highly regulated, with dedicated security staff, locked and segmented facilities, surveillance, and lists of individuals with access rights to the servers. Because of the geographic distribution of storage facilities, data redundancy helps ensure that no single instance of a record exists, ie. there are always multiple backups.
Data in transit is protected with encryption, as is data at rest. Cloud storage providers never have access to private keys and cannot decrypt stored information. The flat storage format, made possible through object storage, means that records are both easily accessible and accessibility is limited to only those with permissions to use that specific data. For example, if a patient visits the same regional health center for both a broken bone and clinical depression, the orthopedic surgeon needs to access images and notes regarding the physical injury. He or she cannot access notes from the therapist, but will be provided with a list of current medications in order to avoid any contraindications. Preventing a data dump that would have a negative impact on patient confidentiality is possible with a cloud-based architecture that increases security of patient data.
This kind of interoperability, where all patient data from many sources is part of their record, but only accessible to those with access rights, requires an infrastructure that can deftly handle the interactions between EHR data inputs, medical device auto downloads, DICOM images, telemedicine videos, financial transactions, and the APIs that open the doors for this communication. Anytime data is in transit, the potential for hacking increases. Cloud storage security solutions are necessary for healthcare data in order to maintain HIPAA compliance. It also creates a platform for healthcare organizations to focus on encouraging patient engagement with their records and metrics to support value-based reporting.
Ready for your personalized consultation? Contact us to speak with our security and networking cloud specialists.