Arshad Noor - Mar 26, 2019

Duty of Care and Information Security

The Hippocratic oath and the principles embodied in “duty of care” guide the daily actions of healthcare providers. But when it comes to information security and protecting sensitive PHI, is the healthcare community living up to those principles?

What’s at Stake

The healthcare industry has had its share of large data breaches despite being regulated in the U.S. by the Centers for Medicare & Medicaid Services and federal law – the Health Insurance Portability & Accountability Act (HIPAA) – which mandate the security and privacy of sensitive healthcare data. So, it’s not a lack of cybersecurity guidelines that has led to ongoing data security and privacy incidents.

Given that patient data is deemed of the highest valuable by attackers on the dark web, healthcare providers are reminded that besides a professional and ethical responsibility to patients, they also have a fiduciary responsibility in protecting patient data, since a failure of this responsibility can endanger the health of their patient due to avoidable stresses caused by the breach of their PII and PHI.

Medical professionals have always had an ethical obligation to the first rule in healthcare – “do no harm” – and a responsibility to care for the patient’s health first. With the age of digital transformation in the healthcare field, better patient care backed by streamlined data and operations is available. While these technologies improve patient outcomes and lower costs, they come with compliance and security risks.

Healthcare organizations that handle PHI can’t afford to fall victim to cyberattacks. A breach has the potential to not only affect patient care and the trustworthiness of the healthcare organization but can go so far as to endanger the patient’s life if the integrity of data produced by medical equipment or records cannot be trusted. Consequently, it is vital that healthcare professionals understand the value of the data they have access to.

Primary Causes of a Data Breach

In the world of cloud-based file-sharing schemes, it would seem that a healthcare provider using encryption to protect their patients’ data in the cloud might satisfy the “duty of care” principle. But, as someone who has spent nearly two decades in the field of encryption, I would argue that the cloud service provider that has control over encryption keys can decrypt those encrypted documents at any time.

To make matters worse, healthcare applications that use passwords to authenticate patients and healthcare professionals to web applications are using the oldest and weakest authentication technology on the planet to protect access to information when stronger ones are available – sometimes at little or no cost to the healthcare provider who owns the application.

When you combine these two weak control mechanisms, you have a situation that allows confidential information to be breached by attackers, and neither the healthcare professional nor their patient may be aware that the information has been breached. In many cases, until the news breaks to the public, the healthcare providers do not often know they’ve been breached.

In such a situation, one can argue that the healthcare providers have failed in their duty by not employing readily available tools and mechanisms that have significantly higher probability of protecting their patients’ information.

Defending the Wrong Territory

Where healthcare organizations get it wrong is in assuming that network security tools are sufficient. Much as the Department of Transportation cannot prevent accidental traffic deaths by spending more on monitoring systems for its network of highways, spending more money on IT network security is a waste of money. The focus should be on protecting the sensitive data itself.

Most data breaches occur because of the mistaken notion that it is easier to deter “barbarians at the gate” rather than actually protect sensitive data in the application. As a result, hospitals over-invest in network-based security tools – firewalls, anti-virus, malware detection, intrusion prevention, etc. – rather than invest in the control mechanisms that provide the highest level of data protection.

Security Controls for Better Protection of Patient Data

Here are necessary security precautions healthcare organizations can take to protect the confidentiality of patients’ information:

  • Eliminate any form of shared-secret authentication scheme being used to authenticate humans to applications. Adopt the FIDO Alliance’s WebAuthn as the authentication standard and do not delegate the authentication to a third-party Identity Provider. New privacy laws such as the General Data Protection Regulation and California Consumer Privacy Act create new liabilities for healthcare providers if the Business Associate Agreement (BAA) does not protect the healthcare provider.
  • Encrypt data at the source where information is captured – at the application level. This is the surest long-term method for protecting sensitive data because the application layer is the highest layer in the technology stack. This makes it the most logical place to protect data, since it offers the attacker the smallest target. In addition, once data leaves the application layer, it is protected no matter where it goes – and it must return there to be decrypted.
  • Preserve the integrity of data stored within electronic health records and databases.

Data Security is Patient Care

Today, duty of care for healthcare organizations includes keeping patients’ sensitive data secure and private. However, relying on weak authentication practices and network security tools to do the job is a recipe for data breaches. Cybercriminals are eager for health data, so the healthcare industry must step up its data security efforts to offer the highest level of data care, just as they strive to provide the highest level of patient care. Use the guidelines above to ensure patient data receives the strongest protection possible.

About the author:

Arshad Noor is the CTO of StrongKey, a Silicon Valley and Durham, NC based company focused on securing data through key management, strong authentication, encryption and digital signatures. He has 32 years of experience in the Information Technology sector, of which, more than 19 were devoted to designing and building key-management infrastructures for dozens of mission-critical environments around the world. He has been published in periodicals and journals, as well as authored XML-based protocols for two Technical Committees at OASIS and represents StrongKey at the FIDO Alliance. He is also a frequent speaker at forums such as RSA, ISACA, OWASP and the ISSE. He can be reached at arshad.noor@strongkey.com.

ALSO SEEN IN: Becker's Health IT