Recently I came across an article reporting that two companies owned by Telus Health had widespread data breaches concerning patient data. As I continued to look into this topic, I was shocked by the number of data breaches that are steadily increasing within healthcare organizations.
The World Health Organization (WHO) defines information governance as: “privacy, confidentiality, security and informed consent”. According to the WHO information governance is becoming a defining issue of our time and they state: “In a global environment, the current complex sets of national laws and regulations are not enough to prevent the sale of health-search information, the exposure of health and other personal data online, and concerns over cybersecurity of medical devices and hospital networks.” This quote from WHO parallels the increasing number of reported cybersecurity attacks from hospitals and health organizations.
In the United States, between 2009 and 2019, there have been 3,054 healthcare data breaches. In 2019, healthcare data breaches were reported at a rate of 1.4 per day. One of the more well known medical data breaches was with Anthem, a health insurance provider company, which disclosed that criminal hackers had broken into its servers and potentially stole over 37.5 million records containing personally identifiable information.
In Canada, there have also been a growing number of attacks on healthcare organizations and hospitals. This past August, two companies owned by Telus Health had to pay a ransom, after 60,000 patient files were accessed by bad actors.
I believe we will continue to see bad actors continue to target healthcare organizations. Access to data in hospitals and healthcare organizations can be highly valued because hospitals don’t just carry health data they also can house financial and geographical data on patients. In addition, some healthcare organizations have the ability to collect data on patients without their consent, to improve health outcomes for the general society, sometimes, it’s not even a case of opting out if you want to protect your data from breaches.
Therefore, what are some solutions we can look to, when it comes to reducing cybersecurity attacks in healthcare organizations?
Firstly, there is always the area of reducing human error and access to data, this can be done by educating staff and volunteers. IT can ensure data access is given to those on a need to know basis. On one episode of the Health Analytics Insight podcast, I talked about how a hospital clerk was able to sell thousands of new mothers’ personal information to Registered Education Savings Plan companies, these are savings vehicles here in Canada for parents to save for their child’s education. In this podcast episode, I questioned the need for this clerk to have access to these records and were there necessary safeguards in place. Another option might be a move to cloud based computing model for healthcare organizations.
Image source
What is cloud computing? Cloud computing is the practice of hosting your IT infrastructure on remote servers usually hosted by providers such as AWS, Google Cloud and Microsoft Azure. For example, users can access software applications, databases and files through a secure browser link. Users can modify and access data all through remote servers that don’t have to be installed on premise within the organization.
Some healthcare organizations are already moving towards this cloud based option. For instance, the Mayo Clinic has recently partnered with Google Cloud for a 10-year partnership. This relationship is said to be one of symbiosis as the Mayo Clinic will be able to apply AI and machine learning techniques developed by Google to their rich patient data. Whereas, Google Cloud will be responsible for securing and storing Mayo Clinic’s patient data. Through the partnership, Mayo Clinic also aims to develop and deploy new AI algorithms designed to advance precision treatments and boost clinical outcomes.
In my opinion, I think this is a situation that has both benefits and drawbacks as more and more of our personal information: health, geographical, financial etc.. are being collected by these tech monopolies. Is it better to get in bed with them and have them protect us from these growing cyberattacks or hire more cybersecurity experts who have a healthcare background in hospitals? When we think about the limited budgets hospitals have to contend with, is the latter even an option?
What are some potential benefits of cloud computing? As I alluded to above, having access to AI and machine learning tools from Amazon, Google and Microsoft would be a great way to improve outcomes for your organizations with the right technical and clinical minds on staff. In addition, moving some or all of the data to remote servers might help mitigate issues when local computer systems experience downtime. This can have profound impacts in many industries but can present threats to patient safety when this occurs in hospitals.
For instance, one hospital in New York experienced a cybersecurity attack and hospital systems were down for one week, this resulted in staff having to manually enter patient data into charts, these incidents are ripe for human error, especially during these high-intensity situations. Whereas, with a cloud based solution, back-up versions of the system might be available to mitigate these issues. In addition, because multiple vendors and organizations might be hosting their data remotely on the server this may reduce the number of security breaches organizations experience because you would have access to the cybersecurity teams at Google, Amazon, Microsoft and others. These technical roles might be lacking in small health organizations. However, one of the issues with using a cloud-based system is the lack of visibility and monitoring the IT team within the hospital might have access to, when it comes to detecting potential cybersecurity threats.
With the rapid increasing amount of healthcare data which is being generated from genetic tests (i.e. 23andMe) to health data from FitBits, I hope that in the future, there will be a platform that can integrate these different data sources in a way that protects patient’s data and perhaps cloud computing is that solution. In my opinion, I think that a hybrid cloud based solution will probably be widely adopted where certain sensitive critical data will still be housed on-prem and other applications and data might be housed remotely. I will continue to investigate this topic to see how things progress and I hope we eventually see the number of healthcare attacks steadily decrease.
Please follow this podcast if you’re interested in seeing more of this content and have a great day! 
0 Comments