The digital health era is an exciting time for medicine, with digital therapeutics offering new approaches for treating many ailments. However, health data breaches are rising along with it, creating challenges for biopharma and medtech companies. These organizations hold more sensitive data today than they ever have and with higher potential risk. At risk are product advancements, company reputations and, potentially, patient outcomes.
Regional, state and national governments globally are developing new, and sometimes conflicting, privacy policies that give patients data access rights and create compliance responsibilities for biopharma and medical device companies. As companies consider creating cloud-based platforms to manage data coming from these new digital products and services, it is important to recognize the greater security risk of collecting patients’ medical data, even if much of it is de-identified.
Here are the top challenges in protecting health data and how to solve them:
Managing the Data Firehose
In the next ten years, as many as 50 billion medical devices will be sending out data to healthcare providers, patients and each other. The speed, volume and variety of this data is ever increasing. Clinical trials are leveraging health apps and connected health devices, with biopharma and medtech companies now beginning to collect patient information on a larger scale. Data flow is exploding from hundreds of patients in a controlled setting to thousands or more in a commercial environment. Real-time data is also flowing from wearables, such as heart rate monitors and blood pressure devices.
The increasing amounts of patient data held by biopharma and medtech companies are increasing their exposure to health data breaches. As healthcare moves beyond controlled settings and into homes with remote patient monitoring, that risk is multiplied.
Beyond an increase in size, the variety of data being captured needs consideration. Heart rate, blood pressure, A1c levels, audio and video are all currently being captured, each requiring different security considerations.
Healthcare can be a Security Minefield
The average global cost of a health data breach is $406 per record, the highest of any industry. Further, the number of patient records exposed in the United States nearly tripled between 2017 and 2018 to 15 million patient records. Halfway through 2019, that figure has jumped to around 25 million. Keeping personal health information (PHI) safe becomes more challenging as device settings grow to connected health devices in homes, workplaces and public spaces.
28 percent of security breaches start internally.
When most people think of security breaches, they picture outside ransomware attacks like the WannaCry attacks that hit around 40 percent of healthcare delivery organizations in the past six months, according to Armis. Security, however, is not just defending against the external hacker: 28 percent of breaches start internally. Medtech company Zoll, for instance, notified more than 270,000 patients that their PHI was exposed after an error occurred during a server migration. Understanding current workflows and developing internal processes to address potential leaks is extremely important.
Since 2015, the FDA has issued public warnings about cybersecurity vulnerabilities in medical devices that “allow unauthorized users to remotely access, control and issue commands to compromised devices,” which could lead to “severe patient harm." A joint alert by the FDA and Department of Homeland Security in March 2019 addressed a critical vulnerability found in thousands of defibrillators that could allow a hacker to control the implanted devices remotely. This goes to show the potential harm at stake from these data breaches.
While medical device manufacturers are responsible for finding these product vulnerabilities and implementing the appropriate measures, regulators continue to issue new cybersecurity guidance as medical devices increasingly leverage connectivity and analytics. Changing technologies and regulations make it difficult for companies to stay up-to-date.
Building Safe and Scalable Strategies
Digital technology has helped make healthcare a larger part of our daily routine. With this growth, a blend of the right knowledge, processes and tools needs to be in place to protect sensitive data. These include:
- Establishing proper internal procedures and training to stop the 28% of internal data breaches mentioned earlier.
- Ensuring systems, products and teams are all compliant with evolving regulations. The creation of the HITRUST Common Security Framework helps, as it harmonizes multiple international regulations into one set of standard security controls. This framework is becoming the main certification for companies responsible for PHI.
- Building a technical foundation devoted to complying with evolving privacy laws and security threats to avoid the potential patient harm and financial penalties.
- Placing all Patient Identifiable Information (PII) in a separate cloud environment away from the cloud environment that hosts de-identified PHI data.
- Delivering continuous training across the organization and ensuring the training is monitored by a team of security experts.
Maintaining a home-grown digital health platform that fits these stipulations requires major investment. Like other business areas where outside expertise is more feasible than doing everything in-house the heavy-lift involved in creating a properly secured platform will lead some companies to use a technology partner that can manage their end-to-end digital health needs. GreenQube is here to be that technology partner. Not only do we make sure your business is protected with the most current virus protection and firewalls, we partner with you to train your employees to help provide an additional yet vital layer of data security that makes your business even safer.