With the passage of the General Data Protection Regulation (GDPR) in May 2018, international focus on data and IT security once again sharpened dramatically. Fueled by the EU’s aggressive two-tier penalty system, organizations in all business sectors had two choices: review their internal data security systems and protocols or risk substantial fines and reputational damage.
As the Herjavec Group’s 2020 Healthcare Cybersecurity Report illustrates, leaders with the healthcare industry would be well served by paying particular attention to this GDPR wake-up call. A sampling of the data proves the case:
- Healthcare leads the list of most cyber-attacked industries over the past 5 years, along with manufacturing, financial services, government, and transportation. The main reasons: inadequate security practices, weak password integrity, and vulnerabilities in code leave highly personal (and therefore valuable) data collected in Electronic Health Records (EHR) at risk.
- 93 percent of healthcare organizations have experienced a data breach during the past 3 years, and 57 percent report having more than 5 during that same period.
- 25 percent of cyberattacks are likely to involve the Internet of Things (IoT), which is not surprising given that online medical devices average over 6 points of vulnerability. A full 60 percent of current devices in use are outdated to the point of having no security upgrades or patches available.
- While 91 percent of healthcare administrators wisely recognize that data and IT security are a top priority, only 38 percent feel prepared and adequately trained to deal with a cyber-attack of any magnitude.
The Alberta Case
Because cyber-threats do not recognize borders, healthcare IT security is very much a Canadian concern. HealthCareCAN went so far as to call 2019 “the year of the cyber-breach in Canada,” while also noting that “while the year’s headlines were plentiful with details of new breaches, vulnerabilities, and hacks, you would be hard-pressed to learn whether anything has actually been done about it.”
In Alberta, the Health Information Act (HIA) a establishes rules to protect the privacy of every individual's health information. The Act also strictly regulates how health information can be collected, used, and disclosed by anyone accessing an EHR. These rules include mandatory breach reporting if there is unauthorized access to or disclosure of any level of health information.
As part of the provincial cyber-security plan, Alberta Health Services is the custodian of the Alberta Netcare portal. This secure and confidential electronic system houses all patient health information accessible to frontline healthcare teams at the point of care across the province. Standard protocols include:
- User permission levels
- Two-factor authentication used in conjunction with an authentication device
- End-to-end encryption of all shared data and messages
- Controls and audit logs
- Information masking.
In addition, AHS works with other organizations, including the Canadian Cyber Incident Response Centre (CCIRC) and National Health Information Sharing and Analysis Center (NS-ISAC), to stay current on emerging threats and remain proactive and vigilant in protecting the data of Albertans.
More Needs to Be Done
Healthcare organizations need to respond to the insights and guidance provided in the new data security, privacy, and sovereignty regulations coming into action around the world. Data security is no longer an IT problem. It is a serious business concern and an issue that means that leadership and administrative teams from across an organization work closely with tech and security teams to maintain internal data security and privacy.
What does this mean exactly? It means:
Examining how all data is managed and maintained as per the guidelines set out by the HIA, Canadian Institute for Health Information, and elsewhere.
Working toward restructuring the traditional silo approach to data management and replacing it with a more horizontal structure that ensures that all customer information is treated with the same scrutiny and held to a consistently highest standard of accuracy and risk assessment
Emphasizing best practices and perpetual improvement in three related areas:
- Current and enhanced security technology at the most basic level means that all software updates are applied promptly. Data shows that most system attacks are successful because of known security blind spots or loopholes, which means that they are also avoidable in many cases with a relatively simple update. When considering new cyber-security technologies, rely more on proven solutions that have been tested and debugged in real-world environments. It is critical to ensure that data and IT cyber-security extent to protect personal mobile devices and all connected medical devices across the organization.
- Cyber-security training for staff to ensure understanding of the social engineering tactics like phishing and spoofing that cyber-thieves use to circumvent the most robust system controls. Frequent and mandatory training guarantees that all employees know their role in data and IT security, keeps them up-to-date on common and emerging attack tactics, and knowing what and when to report to help the local IT team be aware of attempted breach points. Most immediately, training can work to discourage the 51 percent of people who currently use the risky “one-password-for-all-systems” strategy. Interestingly, 57 percent of people who have been victims of some form of social engineering attack do not change their passwords even after the experience.
- Secured networks mean controlling system access so that every individual's role is mapped in relation to the data system, and no one has access to more than he or she needs to do their job effectively. One of the fundamental principles of GDPR, in fact, is data minimization, which emphasizes that organizations should only hold as much personal data as is required to accomplish a given task.
Final Thoughts
Modern healthcare and technology are deeply intertwined to the point that it is nearly impossible to imagine running a healthcare enterprise without relying heavily on IT and data. The risk associated with this reliance is part of the new world of healthcare delivery across Alberta and the world. Legislation can go only so far in protecting the vital data held in healthcare systems across the province. The best first line of defence is a commitment to robust security technology, best practices for individuals and organizations, and building a secure, proactive system that puts IT security at the top of every organization's priority list.