The healthcare industry, like most industries, always aims to improve the delivery of its services. To increase the efficiency of its delivery of services, the industry has adopted Information Technology (IT).
The adoption of IT has paved the way for more straightforward and more accessible treatment, making our lives a lot more comfortable. The most crucial part of the healthcare information system now is the Electronic Health Record (EHR), in which critical data of patients is stored.
However, the use of IT in healthcare is not limited to EHR only. Patients, doctors, and hospital staff use various health monitoring apps and devices. Patients use healthcare apps to get online medicines, to communicate with the doctor, etc., while the doctors and hospital staff use apps to optimize their operations. All such Apps and Softwares store sensitive or critical data.
Which information constitutes health data?
The critical health data is categorized as protected health information (PHI) by HIPAA. That includes the details related to the patient’s past, present, or future physical or mental health condition, payment details of the patient, components of a patient’s medical record. PHI also includes many standard identifiers, such as name, address, birth date, and Social Security number and biometric identifiers of the patient. Sometimes, this also includes data collected from medical equipment also.
Why is patient data critical?
Unlike financial information, the healthcare data is permanent in nature; i.e., it can not be altered after the data breach. Once your data is compromised, it is compromised forever.
Healthcare data is more prone to cyberattacks, as it contains personally identifying information and can be used to forge the identity of individuals. As this data is very sensitive and innately private, healthcare institutions need to have a robust mechanism to protect data against cyberattacks and safeguard against data breaches.
Consequences of data breaches:
Although extensive digitization of data from the medical industry has enhanced the healthcare services and made them efficient and fast, the data security risks also have grown considerably. Data breaches may occur because of software vulnerabilities, security failures, physical infrastructure, human errors, or external cyber-attacks.
Data breaches of health information have severe consequences for providers and patients alike because health research necessitates the collection, storage, and analysis of sensitive information. According to a report from IBM, the healthcare industry has the highest average cost of a data breach at $7.13 million per data breach. Meaning for every data breach, healthcare institutes lose $7.13 million.
In the case of individuals who are victims of a data breach, potential consequences include the possibility of identity theft, financial fraud, leakage of private information, ransom, etc. and for the providers, it means loss of trust, reputation, and legal and financial penalty. When individuals are affected by the data breach, they often get monetary compensation. Still, the damage is irreversible, and its consequences are far-reaching as this information sometimes includes permanent details on an individual.
One such example is of a data breach of the insurance company Aetna in 2017, wherein the HIV status of more than 11,000 people was exposed. Aetna settled for the compensation of $17 million, but for the affected patients, the harm had already been done.
Another example is the second-largest US health insurance company Anthem Inc, which recently paid $39.5 million as part of a settlement with US state attorneys general for an investigation into a massive data breach that included hackers getting access to the 80 million company records.
The data breaches concerning overall IT infrastructure are numerous, but even if we strictly talk about the data breaches related to only healthcare, that number isn’t less either.
In 2018, the total number of healthcare records that were exposed or stolen was 15.1 million patient records. While in the year 2019, this number rose to 41.2 million. From 2005 to 2019, the total number of patients affected by healthcare data breaches was 249.09 million.
What standards are designed to protect this data?
Data standards are non-enforceable and mutually agreed definitions for how organizations capture and process data. Standards, unlike regulations, are voluntary by nature. Uniformity of data standards ensures data interoperability. Many organizations have made their standards for specific purposes; the most widely followed standards in healthcare data handling are Health Level Seven (HL7) and ISO 27799.
HL7 international lay out a framework and standards through which various healthcare systems can communicate with one another. These standards define how data is collected and transmitted. It consists of a set of rules that allow data to be shared and processed uniformly. It standardizes data and data structures to foster easy integration across various systems. According to its use in a particular domain, HL7 standards have been classified into several sections.
ISO 27799 specifies a set of best practices created explicitly for dealing with health data. It allows comparison of health services, aggregate data of individuals securely, and safeguards patients’ privacy.
Another widely followed standard is the Continuity of Care Document (CCD) or Clinical Document Architecture (CDA) standard. It is the result of collaborative work by HL7/ASTM (American Society for Testing and Materials).
This standard encourages data interoperability by allowing healthcare practitioners to send electronic medical data to other providers without distortion.
One unique set of data that healthcare systems deal with is medical equipment or smart wearables, as many call it. The FDA has released standards to regulate data collected from these devices. These guidelines provide detailed recommendations starting from getting a license for their manufacturing, data collection from these devices, quality system regulations and provision for reporting instances of malfunction of devices.
What regulations are put in place to protect this data?
Numerous instances of a data breaches across the globe have propelled many countries to design rules explicitly for data handling and security. Although the goal is common for all the countries, i.e., to protect user data. The approach is vastly different. While some countries designed new regulations to govern new technology, other countries have interpreted their existing in light of these new technologies and have started to implement them strictly. Let us understand the primary laws related to data security across the globe.
How is data protected in Europe?
The regulations concerning data privacy in the European Union (EU) are one of the strictest in the world.
The first law to regulate data handling across Europe was the European Union’s Data Protection Directive 95/46/EC of 24 October 1995. It mandated that sensitive data can only be used for a specific purpose and must have been collected legally under strict conditions.
This law was amended several times and ultimately replaced by the updated ‘General Data Protection Regulation’ (GDPR) law in 2018.
This modern piece of legislation — the GDPR, is generally hailed as progressive as it defines and regulates data and other related operations comprehensively. This law allows citizens living in the EU to control their personal information online and gives them more rights over their personal data. It applies to any global company dealing with collecting and processing data of any sort in the EU.
This law has provisions for the right to be forgotten, right to data portability, right to object against profiling, right to be informed, etc.
“Right to be forgotten” enables users to delete all of their data permanently.
“Right to data portability” permits users to transfer their data from one company’s server to elsewhere and delete their data from the primary company’s server.
“Right to object profiling” allows the users to provide only partial information and refuse to share information they do not want to share.
“Right to be informed” mandates that the companies need to provide information about how, when, and why they use data aggregated from the users.
How does the US protect health data?
In the US, data regulation involves several federal and state laws. Let us take a brief look at all the relevant rules pertaining to data regulation chronologically.
The Health Insurance Portability and Accountability Act (HIPAA), rule of 1996, establishes standards to protect medical records and other health information of individuals. This act sets conditions and limits the disclosure of such information.
The HIPAA Breach Notification Rule mandated that the covered entities should notify affected individuals. It allows patients to examine and obtain a copy of their health records and ask for corrections.
HIPAA-compliant entities are required to implement appropriate physical, administrative, and technical safeguards to ensure the availability, confidentiality, and integrity of health information.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 promoted EHR and encouraged data interoperability. It expanded the HIPAA rule scope by increasing potential legal liabilities for non-compliance and more stringent enforcement.
What rules apply to healthcare data regulation in India?
There is no comprehensive overarching privacy law in India, that regulates how healthcare organizations should collect and process the data.
Right now, two bills are proposed for data regulation but are yet to become law.
The Personal Data Protection Bill, proposed by the Ministry of Electronics and Information Technology (MEITY), is aimed to provide general rules for data regulation of all kinds of data. The Draft Digital Information Security in Healthcare Act (DISHA), proposed by the Ministry of Health & Family Welfare, is aimed to regulate the collection and handling of health data.
Despite a lack of clear regulations, India has launched the National Digital Health Mission (NDHM) to encourage health data digitization. The National Health Authority regulates this.
How to safeguard patients’ data?
As accessible healthcare relies on sensitive personal data, privacy protections, including robust security measures, transparency, and accountability, must be implemented to secure this data. To protect patients’ data, the following steps are suggested:
- Secure Data Collection:
Anyone who collects uses, or has access to the data must be required to comply with the prevailing laws and regulations. Whoever collects data should also be made responsible for its security.
2. Identify where health data is stored:
It may be stored on various devices, including computers, smartphones, portable hard drives, DVDs, biomedical devices, USB Flash Drives, etc.
Then select best practices to secure this data. Use strong and unique passwords for these devices. Also, use two-factor authentication whenever possible.
3. Encrypt data:
Whether the data is being stored or transmitted, the healthcare data must be encrypted with the highest security standards. Even if your data is compromised, it will be tough for the attackers to decrypt and decipher it if it is encrypted. HIPAA rules also recommend encryption of data.
4. Use Latest Technologies:
To handle, store, and access EHR data, modern techniques use cloud and cellular technologies. It is essential to use the latest version of these technologies to be on the safe side. Obsolete or older versions have higher chances of data leakage.
5. Educate the staff about how to protect data:
Any technology is as good as the staff operating it. So, make sure your staff is not a weak link in the chain. It is vital to educate your staff about how to use technology and protect data.
6. Monitor data use and Restrict access to third party software:
When it comes to data, it is said that more linkage leads to more leakage. Implement access controls to secure your data against third party access and for monitoring purposes. It ensures that only authorized personnel have access to the data. The admin should monitor which users are accessing what data, and from what devices.
7. Conduct regular data security audits:
To identify weak links and vulnerabilities in your security infrastructure, regularly conduct data security audits.
8. Secure Data Backup Facilities:
The data backup facility or data center of a healthcare institute is the most sensitive part as therein lies all the sensitive information. CCTV cameras should be installed at the premises, and access should be restricted, and biometric or other means of rigorous authentication must be implemented.
If you want a comprehensive solution for the healthcare sector, complying with the regulations and standards, contact EMed PharmaTech. We have combined experience of 10 years in the pharma-IT sector. Mail us at info@emedstore.in
I have tried to cover the most relevant prevailing rules, standards, and security measures based on research. Feel free to add more in the comment section and make it insightful for the readers.
