Data protection laws around the world are changing the way businesses handle customer data. The healthcare industry, in particular, is under scrutiny due to the rise of high-profile cyberattacks aimed at some of the biggest healthcare providers.
Health organizations around the world are faced with numerous challenges so far as privacy laws and industry regulations are concerned.
Challenges for the healthcare industry regarding customer data
Whether it’s lax access control, outdated software systems, or overall low cybersecurity awareness, security challenges will likely continue to plague the healthcare industry because the cybersecurity threat landscape is constantly evolving.This means all healthcare organizations are potential targets, but depending on their cybersecurity strategy, not all may be equipped to fend off hackers. Furthermore, medical information is worth ten times more than credit card information to hackers. Hackers can use medical stolen medical information to file claims with insurers and buy medical equipment or prescription drugs.Despite regulations in place, some organizations are managing healthcare data in outdated fragmented computer systems or with physical non-digitized healthcare data. These organizations are unfortunately unprepared to meet these regulations or even protect patient data properly. Furthermore, because healthcare data can mean genetic data, medical histories, and biometric data, which are not all that common in other industries, it can present unique challenges when trying to protect patient data.
What does the law say?
Healthcare clauses or provisions are highlighted under the data privacy laws for healthcare data in some laws like the General Data Protection Regulation (GDPR).For example, the GDPR explicitly addresses three types of healthcare data:
- Data concerning health: personal data related to the physical or mental health of patient and information about their health status
- Genetic data: unique information about a patient’s physiology health, inherited or acquired genetically
- Biometric data: personal data that allows for the unique identification of a patient including facial images and fingerprints
With the GDPR, healthcare organizations that do manage this kind of data have an added burden to adhere to a higher standard of protection.
Patient Data Act
In the EU, some countries also have their own healthcare legislation that dedicates how healthcare data is to be managed, processed, and even protected. For example, in Sweden, in addition to the GPDR, hospitals must also comply with the rules governing the processing of personal health and medical care data that can be found in the Patient Data Act. The Patient Data Act covers many aspects of customer data including a provision that only a person who needs the data may see the patient data.
In the US, Insurance Portability and Accountability Act (HIPAA)serves as the primary healthcare law for the entire country for all protected health information (PHI). Under HIPAA, the Privacy Rule and Security Rule provisions address the necessary measures to guard the privacy and integrity of health data in the digital age. HIPAA also requires healthcare organizations to conduct such assessments annually and compile reports. Outside the US, HIPAA acts as the healthcare industry’s “north star for the collection, use, exchange, and protection of patient information.” Many health organizations turn to HIPAA to guide businesses in protecting sensitive health data and give patients the right to access their own information.In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) came along to widen the scope of HIPAA’s data protection requirements. It helped increase the legal liability for non-compliance or health organizations.
Though there may be data security challenges, healthcare organizations understand the importance of protecting sensitive information. For this reason, sometimes organizations will create or voluntarily adhere to health standards and codes of conduct regarding the collection, use, and exchange of health information. One example is HITRUST (Health Information Trust Alliance), a private organization that conducts corporate audits and certifies that healthcare organizations are employing appropriate technical, administrative, and physical safeguards to protect health data in compliance with HIPAA.
Digital lnformation Security in Healthcare Act (DISHA)
While it seems the US and Europe have taken the lead in addressing the protection of healthcare in writing through laws and regulations, other countries may soon follow suit. In India, there are strides to create new legislation that will seek to regulate the “collection, storage, transmission, access, and use of all digital health data” with the DISHA. The proposed law will cover any entity that deals with digital health data in different industries like IoT, manufacturing, and others. The law would also require health organizations to provide data breach notices to their customers.
What role security plays
A common misconception about security and compliance is that they are interchangeable. However, this is not true. Security controls like a WAF (Web Application Firewall) simply provide a way for these healthcare companies to achieve compliance as it relates to the protection of data. However, a WAF cannot help with all the healthcare provisions required under law such as “the right to erasure,” which allows users to request healthcare organizations to delete the data they kept stored.For this reason, healthcare organizations might need to rethink their cybersecurity strategy and or adopt new strategies or technologies to protect patient data and be compliant with current healthcare data protection standards.Cloudbric, as a WAF vendor, can help healthcare organizations protect data stored via web applications — a must for all healthcare providers who allow direct patient access through the web. To prevent hackers from seeping through the cracks that web vulnerabilities introduce, it’s crucial for these healthcare providers to protect this layer. If you want to learn more, please don’t hesitate to get in touch with our security team to learn how healthcare providers can benefit from using Cloudbric. Fill out the form for a free consultation.