The health care security arena has become more complex and challenging in recent years, driven by all different types of stressors, pain points, new technologies, compliance overhauls and more. In many ways, patient information has been widely viewed as the most sensitive data around, especially because of the more substantial risks that come with exposure, loss and fraudulent manipulation.
For example, whereas financial data would generally only be used to steal money directly from an account - which is still serious - medical records often contain this type of information along with actual patient histories. In a worst-case scenario, the thief could commit medical fraud, compromising the record and potentially putting the patient at risk of getting the wrong treatment the next time he or she goes to a hospital.
The Health Information Portability and Accountability Act was launched with the specific purpose of protecting patients from the dangers that abound on the World Wide Web, holding medical organizations accountable for their actions. The Health Information Technology for Economic and Clinical Health Act, on the other hand, pushes medical organizations to begin using advanced tools and data management systems such as electronic health records.
While these compliance statutes have balanced out a bit, several experts in the IT security community have continued to assert that health care providers are the most at risk of experiencing a major breach, more so than any other industry. To understand why simple deployments such as HIPAA email and more complex ones like new data center services are so important, it might help to know what the sector is working against.
The mobile challenge
Mobihealthnews recently reported that officials from the Federal Trade Commission further stressed the importance of securing mobile devices and applications that are used in hospitals or for medical purposes in any way. At times, it is somewhat difficult to tell which applications will pose a risk to privacy protection and security, but medical organizations must remain vigilant when working through policy improvement.
FTC Commissioner Julie Brill, speaking at a recent event, explained that data privacy and security has been further complicated by the rapid proliferation of new applications that are used for a variety of medical-related functions.
"We did a study of about 12 devices and apps and it turned out about 76 entities were receiving information off these apps and devices," Brill affirmed, according to Mobihealthnews. "And it wasn't just things like UDID [the iPhone's unique identifier] and geolocation and whatnot. That was being collected, but it was also information about the consumer's health. One was a pregnancy app and it was the time in which the woman was ovulating, and it was being collected by third parties."
Diving further into the broad challenges facing both the regulatory community and health care providers themselves, the source pointed out that the speed with which laws are passed and standards communicated is generally slower than the proliferation of threats.
"The law is, on some level, always going to lag behind technology," she said. "Technology is moving at lightning speed. Our job at the commission is to try to instill in communities like the app community [and] like the developer community - with respect to platforms [and] with respect to new technological systems - that there are fundamental consumer protection rules that need to apply and that they need to think about as they move forward at lightning speed."
Although the FTC, many experts and other regulators have stressed the importance of securing apps, systems and devices, CSO Online recently reported that taking an entirely data-centric approach might represent the future of digital protection. Considering the fact that data is the actual asset companies are trying to protect in their other security deployments, working to shore up defenses specific to information may just be the perfect medicine.
According to the source, when experts gathered at a conference in Boston, there were strong arguments on either side of the discussion, with some attendees pointing out that there must always be protections in place for networks, equipment and the like. However, from the data-centric side, it might be wise to first find ways to protect information in storage and in transit before expanding outward.
Who says it has to be one or the other, though? Rather than taking a narrow and tunnel-vision approach to IT security, organizations, especially those operating in health care, must be able to be a bit more comprehensive in their deployments and capabilities. After all, hackers rarely try to break into well-protected aspects of infrastructure, and instead work to identify vulnerabilities and capitalize on them accordingly.
Organizations should consider using email encryption and data center services from a provider that can cover HIPAA compliance needs and reduce the overall risk the company faces.