How outsourcing your information management could enhance patient wellbeing
Confidentiality has always been important for healthcare institutions. Keeping patient records safe and secure is integral to ethical operation and compliance. But where heathcare data privacy was once a simple matter of keeping records in a locked room and using computer screen savers, it is now an area of very real vulnerability with serious ramifications for patient welfare.
As the cyber arms race intensifies and cybercriminals seek out paths of least resistance, healthcare institutions are becoming an increasingly attractive target. “We’re seeing many other sectors becoming just much faster fish,” says Dave Coughanour, director of security and information management at K&L Gates. “It’s harder to hack into a bank, it’s harder to hack into a defense-contractor or critical infrastructure company, so hackers are shifting their focus to what they perceive to be the weaker link in the chain.”
Healthcare is showing similar recalcitrance to the legal sector in this area, but it is unique in terms of the quantity and depth of the data in its custody. Not only is pilfered health data easier to monetise than other personal information, but the stakes are higher in the event of information loss — meaning it doesn’t need to be stolen to be valuable to hackers, just rendered inaccessible.
In May 2017, the WannaCry ransomware attack crippled NHS facilities across England. Unlike other affected sectors, critical care providers were relying on access to their information management systems to save lives and didn’t have the luxury of waiting to see if another solution would become available. Their duty of care forced them to pay.
The attack came five months after Experian Data Breach Resolution released its fourth annual Data Breach Industry Forecast. In it, the company predicted that the industry hit hardest by cyber security breaches in 2017 would be healthcare.
Cory Kennedy, lead information security engineer at CenturyLink, spoke to Computerworld about the problem: “I really think in terms of ransomware, the stories of about hospitals paying the ransom are spreading among attackers, letting them know that they’re a successful place to attack.”
This issue will be a resilient one, especially with healthcare funding having limited room for sophisticated ICT overhauls. “Traditionally healthcare providers [have been] in the business of saving lives,” says Lee Kim, HIMSS director of privacy and security, “so [IT security staff] have a difficult time competing for budget dollars.” And yet, the cost of doing nothing may be higher. According to a Ponemon Institute study released in 2016, the average cost to a company per record breached is AU$142.
Healthcare providers now have a duty to pay the same attention to cyber security as they do to hygiene and infection control, as both have the potential to directly affect treatment outcomes and profitability. They need to find affordable information management solutions with the ability to protect their systems — and their patients.
Paper records also present challenges for confidentiality. When archives are stored off-site, healthcare providers may inadvertently expose their information to compromise during transit, especially over long distances where multiple handovers are involved. Very few information management companies have a secure chain of custody across all their delivery locations. Instead, when they have to deliver outside certain geographical boundaries or times of day, they outsource to contractors. This adds one or more unnecessary steps to the information transmission process. While it may only increase the risk of breach by a slight margin, it elevates the risk of data loss significantly.
High-quality external information management solutions ensure the security of hard copies with off-site facilities designed and equipped to protect documents from fire and water damage, as well as theft. Good information management companies ensure all their employees undergo a Police Criminal Security check, and archives are set up in such a way that staff cannot identify their contents at a glance — with access only granted once a request has been issued from the information owner. To ensure the same level of security when transporting documents, a secure fleet of vehicles maintains an entirely secure chain of custody, never outsourcing collection or delivery to contractors, even when working outside urban areas or normal trading hours. Digital security is assured through the use of an administrative console with airtight security configurations, function-level verification, and application-level security that limits users to accessing only the functionality and data they need. If local systems go down, a good information management firm will be able to deliver back-ups on demand.
As well as improving patient confidence, more secure health information management significantly reduces risk. With information stored off-site, much of the pressure is taken off institutions that are currently maintaining a high level of physical and cyber security.
In the event of a major security event or loss of data, functionality can be rapidly restored with the provision of both physical and digital back-ups from a secure data repository. This keeps panic responses to a minimum and allows staff to continue to tend to patients with minimal interruption or inconvenience.
The financial benefits of greater privacy and security are hard to overstate. Not only are patients protected from identity fraud that may affect their finances, but healthcare institutions are able to avoid the potentially crippling burden on their already limited budgets.
 Ponemon Institute, 2016 Cost of Data Breach Study: Australia, p. 1.