Without question, the Covid pandemic has forever altered how the healthcare system operates. In particular, we’ve seen the adoption of digital health accelerate at a breakneck pace, shining a light on the importance of interoperability and security while rapidly modernizing healthcare delivery.
But while this digital explosion has, in many ways, made it easier than ever for patients to connect with providers, the truth is that patients no longer know where all their data is going. They don’t know who has access to their data. They can’t control how it is used, shared or stored. And, in the majority of cases, they may not be aware of the potential risks involved.
Who Has Access To Patient Health Data?
To put it simply — a lot more people and organizations than you think. As a result of data liquidity and the digital transformation of healthcare, protected health information (PHI) is in more places than ever before.
To illustrate, let’s imagine Suzi, a patient with diabetes who engages in digital health to help her manage it. She has a telehealth doctor’s appointment, uses an app to track her blood sugar levels, engages with her insurance company’s portal and even uses her pharmacy’s app to refill a prescription. Suzi may think she’s only sharing her health information with her healthcare provider, insurance company, pharmacy and one app company, but in reality, her data is on a much more complex journey than she realizes. Now, it’s entered into an interconnected system of databases, apps and devices, shared among different healthcare technology organizations that she is not aware of and has not given consent to.
Healthcare companies are investing in ways to share, store and analyze Suzi’s data, increasingly in the cloud. Consumerization and digitalization in healthcare are making data much more liquid. And while this improves Suzi’s user experience as a patient, it puts her data at greater risk of being stolen as the threat and attack surface increase.
Why And How Can Patient Data Get Stolen?
Bad actors target the healthcare industry because healthcare data continues to be so valuable on the dark web, going for as much as $1,000 per record. The more places patient data is transmitted and stored, the more difficult it is to control where all that data is. And if you don’t know where the data is, you can’t properly protect it. This creates more opportunities for bad actors to steal a treasure trove of valuable data.
While ransomware, human error and email continue to be the most common vectors, it’s likely that we’ll see attackers find other ways to gain entry to healthcare networks. For example, I believe that we’ll start seeing bad actors focus on APIs, or application programming interfaces. APIs are the conduits of interoperability and data liquidity as they transfer private data between your systems and external users, offering a prime target for hackers to gain entry. In fact, there are a growing number of attacks on APIs already. According to API security vendor Salt Security, its customer base saw API-based attacks increase by as much as 348% in the first half of 2021. And, of the billions of records that have been exposed by cyberattacks to date, many have been due to insecure APIs.
What’s The Solution For Keeping Patient Data Secure?
First and foremost, healthcare providers and technology vendors need to shift their thinking and view PHI from a patient-centric point of view, considering how to responsibly collect and store data with the patient’s best interest in mind, as well as educate patients about how their data will be used and how they can protect it.
From an industry perspective, healthcare needs to prioritize secure integrations and put privacy by design at the forefront when designing new systems and integrations to protect sensitive data. That means taking a proactive approach to privacy, embedding data protection best practices into every layer of their technology, information architecture and business operations for true end-to-end security. While healthcare has, historically, been slow to modernize its technologies, it’s urgent that the industry make these investments to update and secure their systems now — before the next inevitable breach occurs.
After the rapid and tumultuous change of the pandemic, the era of healthcare digitization and consumerization is officially here. And while this revolution has tremendous power to improve patients’ experience and health, it also clearly contributes to patients losing control of their most personal data. It’s time that the industry stepped up to help them regain that security, fusing privacy and technology together to keep patients safe and healthy in every possible respect.