Healthcare Cybersecurity. PHOTO: Cybercrime Magazine.

Mission Critical: Securing Patient Data For Better Care

Health records are some of the most personal and impactful personal data there is

Ann Johnson

Seattle, Wash. – Oct. 4, 2019

Changes in U.S. healthcare regulations around patient records are bringing tremendous and exciting opportunities – but also significant challenges for how healthcare organizations protect this most personal of data now that it’s being shared more widely.

Replacing mountains of paper records with digital health records can help make the promise of coordinated care a reality, because they can be searched and shared between care teams, even outside the organization. That empowers doctors and clinicians to give their patients the best treatment, and also the best experience. Primary care physicians, emergency responders, specialists, physical therapists, pharmacists, hospital staff and care workers can all collaborate and deliver coordinated care because they can all see the same patient data, thanks to a decade of work done to comply with health information laws culminating in the 21st Century Cures Act that Congress passed in 2016.

Patients now own their own health records and a healthcare industry fragmented between doctors, hospitals, nursing homes, urgent care facilities and health insurers — all with their own types of electronic health records — is finally making patient data interoperable. New federal rules due to come into effect later this year prevent health organizations from blocking EHR interoperability and ensure patients can get their health data from insurers. In 2020, hospitals will be required to electronically inform other healthcare providers when their patients are admitted, discharged, or transferred.

The government has also endorsed the FHIR (Fast Health Interoperability Resources) standard, which uses RESTful APIs to make data about medical issues, medications and treatments available through a range of apps that patients can choose between.

Shared medical data can mean better outcomes and less frustration for patients, and practitioners and healthcare organizations will also benefit from moving away from siloed healthcare information systems. Making health records mobile and shareable allows doctors and other healthcare workers to access them wherever they are, making them more efficient and more effective, helping reduce stress and burnout. More timely and accurate information will also help facilities schedule doctors, nurses and technicians more efficiently, which will in turn reduce costs and improve services to patients.

But healthcare organizations have to deliver all this while keeping highly sensitive data completely secure.

Health records are some of the most personal and impactful personal data there is. Beyond sheer confidentiality, they affect insurance ratings, credit risk, and even employment. Having patients trust that their data is secure will be vital for the healthcare industry to be able to take advantage of advances in AI that promise to improve diagnostic accuracy, patient care and rehabilitation times, as well as reducing readmissions and making healthcare administration more efficient.

Not only do you have to keep health data safe on your own systems, you have to keep it safe when sharing it with other health providers that patients delegate access to. That means you have to prepare for security risks you didn’t have to consider when distributing health records meant sending a fax from one department to another. Businesses in many industries have already found that their suppliers and partners can be a way for cybercriminals to attack them indirectly; healthcare organizations must look at how interoperability increases their attack surface area.

You also have to protect that data while allowing patients to access it themselves, so you will need to authenticate them as users. And you have to proactively demonstrate that you’re complying with the legislation. Regulators will be asking for audit trails that show who’s asking for what health data, where it’s going, and that you have that information sharing under control.   

Changing the ownership model for health care records brings new risks. We’ve added the risk of a patient losing control of their data to that of large-scale breaches. Cybercriminals will start targeting patients with phishing attacks that try to trick them into giving up their own health records, and their credentials to your systems. That could compromise individuals’ personal data in a way that’s not been possible before, and open up routes to identity theft, fraud and even blackmail.

If a patient requests their data and you provide it for them in a secure manner, but the data is compromised and ends up somewhere they didn’t want it to be, the legal responsibility may not be on your organization, but who will they blame and what will that do to your reputation?

What can we do to reduce the risks, while still allowing patients to control their own data?

Microsoft’s cloud and security services can help here, giving patients a secure online vault for their data, backed up by a proactive security platform. For healthcare organizations there are several options, building on the Microsoft 365 platform with continuous risk assessments that show you how you score on compliance with data protection, privacy and security regulations, as well as strong contextual security for protecting users wherever they are.

Office 365 and even the consumer Outlook service have strong phishing protections, taking advantage of the volume of email it processes to identify phishing emails early and automatically protect all users against the latest attacks.

Using SharePoint’s enterprise content management features, with built-in Information Protection tooling, ensures that only trusted parties can view or use data. You can then build it into cross-organizational workflows that can be triggered by a patient sharing information with another healthcare provider, with modern identity management tools controlling access to that data.

Chatting to colleagues is so important to medical practitioners that many of them admit to using unapproved consumer solutions just so they can stay up to date. The Microsoft platform offers secure chat for patients and between healthcare providers through Microsoft Teams, with a Patient App solution that shows them relevant patient data, records conversations and automatically transcribes and indexes content so it’s easy to search, while allowing clinicians to blur their background in video chats to avoid the risk of exposing any sensitive health data that happens to be on the wall of their office. There’s even a Virtual Tumor board for Teams designed to help oncologists consult colleagues to agree on patient treatment more quickly.

The key to keeping everything secure is perpetual monitoring across all the services and systems in Microsoft’s platform that can identify attacks as they happen, automating defense in depth.

The days of viewing cloud platforms as a security risk are long past; in fact, they offer better security than on-premises systems. A recent survey from the Healthcare Information and Management Systems Society reports that putting apps in public cloud and deploying enterprise content management platforms rank among the best practices for modern healthcare operations, along with take advantage of voice recognition. Secure cloud platforms enable healthcare organizations to keep their patients and their data safe without spending significant sums on additional, often user-unfriendly, security services that slow down doctors as they’re working.

Making the most of the opportunities that sharing health records can unlock requires sharing not just data but context, and integrating that health information into the tools and workflows healthcare professionals rely on. Getting the security basics right means healthcare organizations can concentrate on improving collaboration, productivity and patient outcomes instead of compliance and audit trails.

Microsoft Archives

Ann Johnson is Corporate Vice President, Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures.

Sponsored by Microsoft 

Microsoft provides enterprise-class security for emerging cyberthreats. Be prepared to defend your organization from new cyberthreats with help from Microsoft. Start by learning ten tips to enable Zero Trust security.

To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security Site, or follow Microsoft Security on Twitter at Msft Security Twitter or Msft WDSecurity Twitter.