Tech giants like IBM, Amazon, Google and Microsoft are the latest players in healthcare, striking deals with hospitals to secure access to millions of patient records. According to the Wall Street Journal, 80% of all medical records are now digital, and this trove of data may prove invaluable for tech companies — placing protected health information (PHI) in the hands of big tech could result in algorithms capable of predicting future diagnoses, search tools to quickly locate a patient’s file or customized treatment plans.
But not surprisingly, lawmakers and patients are concerned about how increased data sharing will impact security. Healthcare is already the second-most ransomware-targeted industry (just behind finance) and companies face steep fines for noncompliance with healthcare privacy and security guidelines. In addition to security concerns, privacy experts are worried that tech companies will improperly use patient data for commercial purposes. For example, the reveal of Google’s Project Nightingale, a data storage partnership with Ascension health, caused a public outcry because of the potential for privacy violations.
As large tech companies sink their teeth into PHI, healthcare organizations must adapt their security protocols to ensure they remain compliant and patient data remains secure.
Keep data safe — and keep data private
Healthcare corporations are concerned about the growing number of data breaches caused by hacking or IT incidents. Between 2018 and 2019, the number of healthcare-related data breaches caused by hacking or an IT incident increased 46% and accounted for 60% of the total number of breaches.
Third-party vendors may make patient data even more vulnerable. Wolverine Solutions Group, a billing vendor for large health systems in Michigan, suffered a ransomware attack in September 2018. An estimated 600,000 patients in multiple health systems were affected. As this breach shows, hospitals and health systems are only as secure as their vendors.
The partnerships between big tech and hospitals also raise concerns about HIPAA and HITECH. These laws do not specify the vendors or technologies necessary to remain in compliance — rather, they advise organizations to take “reasonable and appropriate” security measures when it comes to PHI.
But non-compliance with HIPAA and HITECH is costly. Since 2015, the healthcare sector has paid out more than $50 million in fines and penalties for violations of privacy laws. A record number of HIPAA fines were collected in 2018, including the largest-ever fine of $16 million. This high level of enforcement is expected to continue as tech firms and hospital systems become more entwined — the U.S. Department of Health and Human Services is already taking a close interest in large tech firms’ access to PHI, and future guidelines may further complicate the steps required to remain in compliance.
In addition to the monetary costs of such incidents, companies facing a HIPAA violation risk their reputation with patients. As many as 65% of patients would avoid companies that experienced a HIPAA breach. Although more difficult to quantify than a fine from HHS, patients’ trust is a valuable resource that must be protected. And as patients question the level of access tech giants have to their data, health systems must be aware of how increased data sharing could lower patients’ confidence.
For any hospital system, data security is a huge priority. For hospitals working with outside tech firms to organize, search or analyze PHI, data security must be at the forefront of any contract negotiation or services discussion.
5 ways to minimize data security risks
Achieving and maintaining compliance and security involves a complex range of variables. No single product can manage all regulatory requirements and keep your company entirely secure. However, IT management solutions that automate processes help you adopt a big-picture approach that can make your job easier.
To stay on top of PHI privacy and security requirements, look for a management system that facilitates multiple compliance and privacy objectives, including:
Discovery tools and scans: One of the most common red flags in an audit is the failure to identify the systems that are connected to the provider’s network. Discovery tools can scan an entire environment and its connected systems to fingerprint all types of devices accessing the network. You should schedule — or automate — discovery scans to periodically identify unknown devices operating on the network.
Software management and patching: Automated patching means the latest security updates and features enhancements from third-party providers can be installed across your network — with minimal impact to end users, but maximum impact for operational security. You should also be able to scan the network for known vulnerabilities in the operating system and third-party software, then install fixes quickly. This is an essential element of compliance and a best practice in data security.
Policy management: As part of HIPAA’s Security Rule, organizations are required to “create and deploy” policies and procedures. Automating a robust policy management system can make compliance automatic for your servers and workstations. For example, your system can be configured to report any noncompliance events to meet custom controls, in addition to patching and software deployment.
Security auditing: HIPAA also requires audit processes across all storage and access points for PHI. With the right auditing tool, demonstrating compliance with this requirement can be automated or scheduled to easily document machine physical characteristics (e.g., RAM, CPU, and disk drives), user account information and software information.
Access control: An important aspect of HIPAA compliance involves ensuring users and systems only have access to the PHI they need to do their jobs — no person should be able to view more PHI than is necessary for their role. A compliance-minded IT system enables a quick and efficient review of any user access to determine if that specific user’s access level is appropriate.
As big data continues its march into the healthcare industry, shoring up security protocols and maintaining compliance must be a priority for IT operations. The financial health and community reputation of health systems depend on it. Proactive processes and a strong IT management system are crucial for a successful partnership between large health systems and the titans of tech.