By Mathieu Gorge, CEO and founder, VigiTrust.
The COVID-19 pandemic has created a number of personal health data challenges for both healthcare organizations and private businesses alike. From vaccine passport requirements and businesses handling incredibly sensitive information on their employees, to healthcare workers accessing sensitive patient data while working from home, the health crisis has created unprecedented data security and compliance challenges for employers and healthcare providers.
COVID-19’s Impact on Data Security
When COVID-19 first hit, many healthcare organizations shifted to a partially remote workforce overnight. This meant that healthcare administrators were using personal devices and had access to systems and data that they previously could only access on their employers’ network. The focus was on productivity and business continuity, not cybersecurity.
However, over a year later, we are still using this makeshift IT environment and the increased cyber risks have not been addressed. By accessing patients’ private healthcare information from personal devices or home networks, administrators are doubling or tripling the risk of a breach.
Why Do Criminals Want Healthcare Data?
There are several regulations designed to protect personal data, but health data presents unique challenges. For example, if my credit card were stolen, I can be assured that PCI would cover any losses due to my banks’ contractual obligations with credit card companies. However, my health data – including DNA, disease history and medical conditions – are fully unique. No one can reimburse me with a new set of personal health information!
Criminals understand this, which has led to a rise in personal health data being stolen. Many hackers are now breaching health systems’ networks for personal information, and demanding ransom from individuals to keep that data private.
Furthermore, healthcare workers have been under increased pressure due to the pandemic, which has made hospitals and health systems a more appealing and “softer” target for hackers.
Modern Health Systems Require Modern Regulation
Another key problem is that healthcare security regulations are falling beyond the realities of the modern era. HIPAA was not designed to cover the increased risk surfaces that have arisen in the past year.
Furthermore, health systems now provide a user experience more akin to the travel industry; patients can check in with a QR code and access private data using an app on a mobile device. This uses a combination of cloud applications and back-end systems, which HIPAA was not designed to cover. The HIPAA framework does not focus on software security or coding, yet attacks are designed to target the very core of the software.
Businesses and Vaccine Passports
Health systems are not the only organizations that need to bolster their cybersecurity. If commercial businesses decide to collect information on which employees are vaccinated, they need to make sure that strict policies are put in place to protect this data. This involves drafting a policy, getting the green light from the legal department, and clearly communicating it with employees. Leadership must also ensure that appropriate systems are in place to keep that data secure and updated at all times.
To secure the involvement of leadership, which is crucial, I recommend the 5 Pillars of Security framework. This is a proven methodology for simplifying cybersecurity challenges in business language that CxOs and board members can understand. The industry-agnostic framework helps business leaders map cybersecurity risks, implement a strategy, and demonstrate cyber accountability to governing bodies, key stakeholders and regulators.
We are at a critical moment for health data protection. HIPAA must undergo a review and be made more current for the shifting technologies of today, and organizations must learn to manage the new work environment. Since many businesses are planning to collect data regarding their employees’ vaccinations, we need to find a way to keep it secure.
Key decision makers must be made aware of their cyber accountability mandates. It is crucial that C-suite executives and board members prioritize security and put into place secure technical controls, training and policies to protect personal health data at every stage.