A recent article on cio.com stated that healthcare organizations are three times more likely to be a target of data theft. This is a worrying prediction, and hopefully does not come true.
Healthcare organizations are moving from traditional patient records to electronic patient records (EPR). This started already in the last millennia when I was working for GE Medical. Communication standards were developed (HL7), and HIPAA legislation was created. EPR is a way to save costs and improve care as information can be shared between healthcare organizations, insurance companies, patients, etc.
If we envision the healthcare journey of the patient and their data, we can see that there are a lot of data sources and destinations along the way. The first step of collecting data usually happens on an initial visit to the doctor’s office or a clinic (non-emergency case). Data about the current status of the patient is collected using a software solution and becomes a part of the EPR. Later, the patient may enter the hospital and be scheduled for surgery. After surgery, the patient is taken to into a recovery room or in more serious cases to the intensive care unit. At every step, different software solutions are used to record basic patient information, collect data about the vital signs, record drugs administered, etc. So, there's a myriad of different data streams that are analyzed, recorded and stored. After the patient has recovered and is discharged, this particular journey ends. The data becomes part of the EPR.
From a quick visit to the doctors for a runny nose to intensive invasive surgery, lots of data about a patient is collected and stored. Information and computer technology (ICT) can help healthcare professionals improve patient care, and work more efficiently. However, this data is highly private in nature and must be secured.
While in storage, EPR data should be protected, and this is sometimes even regulated by law (HIPAA). Unauthorized access to EPR data can result in a very costly incident for a healthcare organizations, or an insurance company, or any other organization handling the patient data.
Proper authorization management ensures that only the authorized healthcare professionals have access to the data. Authorization management based on roles is a core part of a good Identity and Access Management (IAM) solution. However, the authorization process should be easy and straightforward. Healthcare professionals must focus on patient care and not cumbersome and hard to use ICT solutions.
The data streams before, during, and after the patient journey can also benefit from IAM solutions. Modern IAM solutions can provide an easy way to protect APIs using the OAuth protocol. OAuth is considered as one of the prevailing authorization protocols for the Internet of Things. Patient monitors, infusion pumps, ventilators, automated drug dispensers, X-ray, data warehouses, care system, etc., should support this kind of protocol to help protect the information. It can be used to configure which devices or solutions can talk to other devices and solutions. The data itself, while in transit, should be encrypted and certificates are a good way to do that. Also, the devices are increasingly connected to the Internet and this presentation by Scott Erven during the recent Derbycon shows just how easy it has become to discover and access these systems.
Patients should also have secure access to the data collected. Username and password to protect access to healthcare data on an Internet facing portal is not strong enough. Passwords can be guessed, and if a password database is breached, even encrypted passwords can be discovered. A better solution is to utilize an authentication solution where there is no data to be breached, such as mobile SMS one-time-passwords (OTP) or other strong authentication methods. The availability of strong authentication methods depends on where you live, but SMS OTP is quite a universal solution.
The healthcare industry has been slow to adopt ICT, but things are changing rapidly with new healthcare professionals who have lived their childhood in the Internet age. They will be more receptive to the new technologies that can help them provide better care to their patients. IAM is one of the key technologies to protect highly sensitive EPR information collected when we need healthcare services.