Healthcare Data is Under Attack. How Do We Protect It?

Striking a balance between compliance and the secure protection of sensitive healthcare data.

On the black market, healthcare data is worth ten times more than ones’ credit card details according to cyber security experts.

The frequency of attacks on healthcare data has increased rapidly over recent years; however, in contrast to industries such as the financial sector, the securing and storing of sensitive data in the healthcare industry has been largely overlooked.

Healthcare service providers are responsible for large databases containing sensitive customer information.  Surprisingly to some, these databases are more comprehensive than those found in any other industry.

Our healthcare system relies on internet-enabled technologies to function. Examples of these uses range from the relatively basic: digital patient records, to the more hi-tech: wearable monitoring solutions that help to monitor the vitals of patients and while this digital shift helps to speed up and improve the accuracy of clinical care, it leaves these systems vulnerable to cyberattacks.

Viewed as a “goldmine”’ for cybercriminals, Robert Fish, Product Owner for Clinical Solutions at Altron HealthTech warns that the protection of data is critical.

“Patient healthcare data includes personal medical information like test and blood results, family medical history and other confidential information pertinent to health and wellness. Insurance providers also require diagnostic codes from doctors to process claims so this data also includes financial information relating to payment transactions, banking details, scheme information and clinical requirements,” he explains.

In describing the “patient journey” of managing healthcare data, Mervyn Padayachie – Corporate Accounts Manager for Altron HealthTech believes that it begins from the time that the patient books their appointment right through to when the transaction has been completed. “Security of data has to be taken seriously – from the very start to the very end of this journey.”

With the advent of the COVID-19 pandemic, many organisations are dealing with screening information using paper-based systems. This, he adds has no bearing on how the securing of COVID-19 data would differ from that of any other form of healthcare data. “The security management of all medical data must be handled with the utmost care.”

On the other hand, Healthcare is not an island and must allow for data sharing with third-party applications. This is called interoperability. Altron HealthTech uses HL7 FHIR (Fast Healthcare Interoperability Resources). This is a data protocol that allows for secure exchange of clinical information. In addition, the applications that Altron HealthTech supplies to the SA Market include features such as encryption of the data, audit trail functionality as well as role-based access to the applications      

Advanced Synergies to Protect Medical Data 

Working together to change the healthcare industry’s reputation for lax security measures are Altron’s divisions, HealthTech and CyberTech. 

“We believe that the future of healthcare lies in connected care: the clever use of holistic, functional and patient-centric technology. Connected care requires the highest level of data security, and that is where we come in,” Fish continues.

“Marrying CyberTech and HealthTech’s services was a natural fit,” adds Fish. “HealthTech possesses decades of combined expertise in the managing of clinical data and is complemented by CyberTech which offers data protection skills second to none”. 

“Together, we are able to provide data security based on best practice standards”. 

Zaheer Yusuf, Pre-Sales Consultant – Information Security Services at CyberTech a division of Altron seconds this by saying that this synergy is of great benefit to its clients. “The relationship between CyberTech and HealthTech is well-established and no third parties are needed when making use of our “‘one-stop solution.’

As noted by Yusuf, CyberTech are security specialists and not only have their own data center, but also comply to ISO 27001 and PCIDSS standards. “We are constantly working together with HealthTech to advise our clients and optimise their systems.”

Compliance is Key

Fish says, as a healthcare provider, holistic records and consent-driven patient sharing is the cornerstone of better healthcare. “Moving sensitive healthcare data must be done in compliance with the law and the various regulations that govern how personal data can be collected and stored in South Africa.”. 

The President proclaimed the POPIA commencement date (or POPIA effective date) as 1 July 2020. It is important because a grace period of one year starts from the commencement date. Now that it has commenced, you must ensure that you comply with the POPI Act as the Information Regulator will start enforcing the POPI Act one year after the commencement date.

Adding to the complexity of managing data is the Health Insurance Portability and Accountability Act (HIPAA). Although not legally mandated in South Africa, HIPAA sets the standard for the management and exchange of healthcare data on a global scale. 

In-line with POPIA, HIPAA and various other forms of compliance, both HealthTech and CyberTech understand that consent-driven patient sharing of information is the cornerstone of better healthcare. They have always taken the security of that data very seriously, but some of the POPIA guidelines as is the purpose of the Act, disrupt the traditional structures by which that data is transferred.

Not without its challenges, Fish notes that adhering to these guidelines adds a necessary layer of complexity. “While stringent compliance guidelines can be a challenge, we remain agile and compliant to continuously uphold the security of our data protection process.”