Healthcare data breaches mean big bucks for criminals. Whereas run-of-the-mill PII (Personally Identifiable Information) sells for about US$2.00 a pop, PHI (Personal Health Information) commands the hefty price tag of over US$360 per item!
PII is information that can be used to personally identify (contact or locate) an individual, whether on its own or in combination with other data — data such as an email address, a physical address, a telephone number, etc.
Personal Health Information is PII which is specifically collected by health care providers, a health clearinghouse or a health plan operator.
Utilising PHI, “bad hats” can make fake insurance claims, illicitly purchase medical equipment for resale, or purchase prescription drugs which they can sell on the streets as narcotics. Often, PHI is also used in phishing attacks to extort money out of individuals by demonstrating knowledge of those individuals’ underlying (and supposedly confidential) health conditions.
The potential payback for exploiting PHI is enormous, making it a juicy target for organised crime syndicates and individual criminals alike.
As the world goes more digital and patient records are stored in digital format, the ability for hackers to gain access to huge stores of PHI is greatly improved. Hackers do this using various methods, including:
- Social engineering
- Exploiting flaws in the system itself
- Physical theft of devices (or access to lost devices that are poorly secured)
The magnitude of stolen PHI that has occurred in recent years is mind-boggling. For example, the American Medical Collection Agency (AMCA) was hacked over a period of several months, resulting in more than 20 million health records of Americans to be put for sale online.
Virginia-based insurer and health plan administrator, Dominion National, experienced a breach of 2.9 million records over a nine-year period.
UW Medicine misconfigured a database, leading to the potential breach of 974,000 patient records.
A human error caused the breach of 1.6 million records at Inmediata Health Group.
And the list goes on.
Hardening security of IT systems is a core task for any company involved in software development, but especially in healthtech.
We believe that the best way to ensure the highest possible security of a healthtech software system is to hire a reliable external company to take care of it for you.
Here are three reasons why:
1. Financial and Human Resources
Systems security is an entire subject in itself.
In a highly competitive field such as healthtech, CTOs need to dedicate as many resources as possible to the development of core product features which could mean the difference between staying in business or not.
Healthtech IT leaders are well aware of the risks involved should there ever be a data breach. But addressing those risks in the code might require pulling some resources off of the product’s core development.
Faced with this conundrum, IT managers usually make one of two choices:
- Resources are pulled away from core development and are allocated to hardening the security aspects of the software instead, which slows development of the product itself.
- Or, managers demand that development teams go full-throttle onto the essential features and skip on security, thereby possibly leaving crucial security aspects untested until it is too late.
Each of these approaches is equally flawed.
What is required is the ability to dedicate as much labour as necessary to the security aspects of the software without sacrificing key resources who are working on essential components and also without costing the organisation half of its budget.
The easiest way to do this is with a reliable external company that uses an agile approach to development and rigorous testing in order to ensure the security aspects of the system are unbreakable.
Even if IT managers do manage to balance their team sufficiently so that adequate resources are dedicated to both security as well as core features, it can often occur that the team becomes so accustomed to looking at the code that they simply miss crucial security vulnerabilities.
This doesn’t mean the development team is inept. It means that a fresh set of eyes is worth twenty tired ones.
Independent assessments are vital to identifying underlying issues that might otherwise go unnoticed.
2. High Complexity = More Possible Mistakes
Healthcare and healthtech are powered by software which often runs to millions of lines of code, worked on by anything from a few programmers to a several hundred.
These millions of lines of code result in an integrated system with a tremendous degree of complexity.
Specialised expertise is essential to assess systems of such complexity, utilising a nuanced approach specific to a skilled cybersecurity engineer’s skill set.
A specialised company could conduct regular pentesting and other security assessment works while building the complex solution. Pentesting and security assessments can help a healthtech company avoid major technical vulnerabilities, prioritise risks, meet the requirements of your organisation and save you money!
3. Specialised Knowledge and Skill
Third-party security advisors will examine an organisation’s security strategy against industry standards and best practices. They specialise in identifying gaps that might pose an unnecessary risk to the organisation.
In-depth knowledge is required of the ins and outs of different regulatory bodies and the plethora of regulations and laws those bodies have published.
This knowledge isn’t limited to health-specific regulations such as HIPAA and MDR, but also to things such as the Payment Card Industry Data Security Standard, local and state-level privacy laws (GDPR, CPRA — the California Privacy Rights Act), as well as other regulations.
Failure to comply with all required regulations can lead to “breaches” of another kind, such as inadvertently sharing PII outside of the organisation, even if the intent was not criminal in nature. This could be both a human error or a lack of risk prioritisation when developing the healthtech product. Therefore, it is necessary to not only add security to the software but also educate and limit users on how to comply with the security standards.
Making sure users comply with the security standards would require not only a secure software but also user training and an optimal UI & UX. The product’s interface needs to be built by a specialist in a way that it ensures all user’s onboarding is automated and ensures that end-users like doctors, nurses, secretaries etc. are educated on the possible repercussions of a mistake (even if innocent).
So, both security as well as privacy regulations need to be looked into thoroughly when developing healthtech solutions, and this is best done by security and regulations experts with wide experience in the field.
An example of a company that specialises in building secure healthtech solutions is Thorgate. Thorgate has 10+ years of experience in building healthcare products enabling higher efficiency, enhanced services, new solutions, and more patient engagement.
At Thorgate, we recently gave a talk on Thorgate’s agile approach to Healthtech development, as well as its rigorous adherence to security protocols in Healthtech, that is available to view here:
To find out more about the work we've done, see our case studies here
If you're looking for advice on how to ensure data security for your healthtech product, feel free to email me at taavi.uudam@thorgate.eu
Read related articles:
Accelerating Digital Transformation in Healthcare