Rather than be an asset, health data can quickly become a liability
Healthcare IT News asked Dr. Zulfikar Ramzan, chief technology officer at RSA Security, a vendor that identifies, assesses, monitors and protects digital assets, to dig deep and identify a healthcare cybersecurity issue that is not one of the common ones, a serious threat that perhaps might be somewhat overlooked. He was all over this question.
“One issue related to security in healthcare settings that keeps me up at night and that is off the beaten path is data liability,” he stated. “Data is the greatest asset of the many modern tech companies peppered throughout Silicon Valley. These organizations gather treasure troves of data about their users and subsist by monetizing it effectively. They pay some of the most intellectually gifted people of our generation lavish salaries to optimize ad placements.”
The difference between life and death
In healthcare settings, patient data is crucial for providing effective treatment. More so, with advances in areas like precision medicine and genomic analysis, the value extracted from sensitive patient data can literally mean the difference between life and death.
“However, because healthcare institutions are not monetizing patient data for its own sake, that data rapidly becomes a digital risk,” Ramzan said. “Rather than being an asset, patient data can quickly turn into a liability for these institutions if, while providing care for said patients, they fail to provide care for patient data across its lifecycle.”
"There have been a number of remarkable advances in doing analysis on encrypted data, but these approaches incur significant costs and as such are not yet ready for mainstream use, though they hold tremendous promise."
Dr. Zulfikar Ramzan, RSA Security
First, as healthcare institutions leverage sophisticated data analytics methods including artificial intelligence and machine learning, they often unknowingly open themselves up to new digital risks.
“Even just minor errors in patient data, whether introduced intentionally or accidentally, can have dramatic ripple effects,” Ramzan explained. “Decisions made on such corrupted data can be disastrous. On top of that, data corruption can be nearly impossible to detect, especially when obfuscated by the complex mathematical equations associated with AI and machine learning.”
Data management versus patient care
Second, regulatory compliance regimes like HIPAA, the GDPR and others force healthcare institutions to manage patient data in ways that are potentially antithetical to patient care, he remarked.
“For example, to receive optimal treatment, healthcare institutions need a complete medical history,” he said. “Yet most patient medical histories are scattered among different providers who may each have seen a given patient for a brief period of time and who each may only have purview into one piece of the puzzle. Can healthcare institutions find ways to coalesce data, while not incurring a dizzying array of complexity in managing the lifecycle of that data?”
And third, what might constitute acceptable risk changes drastically when patient lives are on the line.
“For example, in an emergency situation, am I willing to have my privacy compromised if it saves my life?” he asked. “Or, in terms of elderly patients, does the confidentiality of data presumably have less value in their remaining years? People would jettison privacy concerns in such cases. However, these cases may again run counter to how healthcare institutions are incentivized to operate in an age where the financial cost of data lifecycle management failures are exorbitant.”
In short, patients’ personal data can simultaneously be a healthcare facility’s greatest opportunity and greatest liability, Ramzan contended.
“Health systems and hospitals need to rise to the challenge of implementing digital risk management solutions to safely navigate the new complexities that stem from technologies like AI and machine learning,” he said.
What CIOs and CISOs can do
So what can healthcare provider organization CIOs and CISOs do to combat this challenge?
“CIOs and CISOs should recognize that data is not inert and static, but rather it’s a living, breathing entity,” Ramzan advised. “Data is created, it moves, it morphs and is destroyed. Technical leaders should think in terms of their data pipeline, and ensure the confidentiality, integrity and availability of data at each stage. To manage data risks, it ultimately is crucial to ensure that the right entities, and only the right entities, have access to data at the right times and that they use that access appropriately.”
From a technology perspective, first and foremost, healthcare organizations should invest in integrated risk management technologies to catalog where their most important data assets lie and what policies and procedures are in place to protect that data, he suggested.
“Organizations also should implement technologies for addressing three critical areas of identity and access management,” he said. “The first area is identity assurance, which determines what confidence you have that an entity is who it claims to be. The second area is access assurance, which considers what entities should be allowed to do and access. And the final area is activity assurance, which considers whether the right activities are being conducted with that access.”
Judicious use of encryption
Moreover, healthcare organizations should make judicious use of encryption to protect data while it is in motion and at rest, he advised.
“When data is in use, encryption can be more challenging, because it is hard to analyze data that one cannot see,” he cautioned. “Surprisingly, there have been a number of remarkable advances in doing analysis on encrypted data, but these approaches incur significant costs and as such are not yet ready for mainstream use, though they hold tremendous promise.”
Finally, it is absolutely crucial to recognize that despite best efforts, healthcare organizations will occasionally fail to prevent malfeasance, Ramzan said.
“Threat actors, including malicious insiders, will eventually get through the front door,” he said. “That access, however, is merely a means to an end, in much the same way that a bank robber’s goal is not to get in the front door of the bank, but to get the money out of the vault. As data becomes the most valued asset and liability for organizations, effectively monitoring data assets will be table stakes for the modern digital organization.”