Securing healthcare data as cyberthreats evolve

The pressure has never been higher for the healthcare sector to step up security measures, in order to protect patient data. As hospitals are now increasingly connected, cyberthreats also become more sophisticated.

How then can healthcare organisations ensure that their security systems are robust and up to date with the latest technology?

To drill down on the issue, Jicara Media has gathered several security experts in a panel entitled “Producing, Processing, and Protecting Healthcare Data,” as part of the latest Healthcare Frontiers online conference.

For Dr Nasriah Zakaria, Associate Professor and Head of Health Informatics Division, Faculty of Medicine at the University of Malaya, nothing beats preparation, especially when it comes to designing the IT infrastructure of a medical facility.

“One of the things that any healthcare organisation has to make sure of is when they set up their IT strategy, they have to ensure that they understand that various systems will come in, (and a lot of them will be) paired with various data. So they have to be prepared, and I think standardisation is the way to go,” she said.

Meanwhile, Bruce Leong, the Director of Technology & Strategy at Mount Alvernia Hospital, emphasised the need to protect data from an endpoint perspective.

“We do recognise that the data collection point is also where the malware entry point (exists) as well. Hence, we treat endpoint protection quite seriously. Luckily, for inpatient services, most of the data collection is within the hospital. So rather than using technology to protect the endpoints, other than your normal antivirus, our data collection points actually have no internet access. But we must also remember that we are allowing doctors to be mobile, so we will deploy some protection technologies. Also, (constant) education among staff on how to safely enter data (is important),” Leong said.

Because not all data are the same, even for a specific industry like healthcare, one of the challenges for cybersecurity firms, like BlackBerry, is standardisation.

“What we tend to look at is a reference architecture for healthcare. Looking at where different data is either being shared from, or what the entry points are for the data— it could be first responders, it could be a remote clinic, it could be a hospital, or clinicians needing to share information with third parties, like researchers. So looking at where those (data) are, where they’re stored, and who needs access to (them), is a challenge, but it is addressable. And it’s something that we work with a lot of hospitals and healthcare providers around the world to be able to get that right,” noted Jonathan Jackson, Director of Sales Engineering, APJ at BlackBerry.

Data analysis

After data collection, the next step would be to effectively harness value out of any given data set. But how does that work in a healthcare facility setting?

Because healthcare data is very sensitive, most organisations start small, and in-house, according to Shikha Kumari, Senior Assistant Director, Value Driven Outcome Office, National University Health System (NUHS).

“If you see the industry, it’s not always that we go (with a) very big bang in setting up a data lake for the first time. Even in a normal way, our senior management wants to see the value. So what we have done at NUHS is that we started small, and there are various initiatives. We did set up a data lake or internal data warehouse by marrying various data sources, and having a view of one patient, one record,” Kumari said.

“You need to identify all the data sources, where they are residing, and whether these are useful, because one of the things you need to find out is which ones are duplicates. (For example), your age and gender, and demographics are captured by various systems. So you have to identify all the sources, define the source of truth, and then connect and stitch— one patient, one record,” she added.

Over at Mount Alvernia Hospital, data analytics is being used to enhance patient safety.

“We are analysing data that we have collected, such as medication error, near misses, and other patient safety indicators to see whether there’s a systemic issue, or whether it’s human errors. So this is the first part that we embark on. (For our) business team, we will start to look more on efficiency,” Leong said.

For Jackson, a walkthrough with their healthcare clients is always beneficial when designing security.

“I always encourage organisations to say, ‘Let’s sit down and do it like a discovery workshop.’ Let’s walk the halls of a clinician, or a doctor, or an emergency responder, and say to them, ‘What would you like to get done faster, smarter, harder?’ Let’s see if we can use business acumen and analytics to be able to overcome some of those challenges. And often you’ll find these capabilities everywhere. So I encourage open thinking on analytics. It is everywhere, but it’s very powerful,” he remarked.

In terms of data security, and consequently, analytics, Jackson thinks that they should be the collective concern of a business organisation, rather than one department.

“Security is not an IT problem; it’s a business problem. I think analytics is the same principle. Healthy organisations that are in a digital transformation journey recognise that it’s not just the responsibility of the CIO. Often it (analytics) is something that’s driven by a doctor or a nurse, for example, that says, ‘If my job is so hard already, why do I have to mess around waiting for this iPad to load a whole bunch of spreadsheets?’ If we actually unpack that business logic and acumen and analytics, you can make people’s lives easier, and they can get their jobs done faster,” he added.

In order to effectively conduct data analysis, IT systems need to be able to talk to each other. However, unifying disparate systems is a major challenge in the healthcare industry.

“When you have data as a health information system (HIS) in an organisation, theoretically, it should give you the finger view. At our teaching hospital, as far as I know, in the few years when they did the whole HIS, it’s called Total Health Information System. The idea is to give a single view, so that healthcare providers can attain data at any time, basically holistic data of the patient. But I won’t deny that there are many other (pieces of) data that still reside in the peripheral systems or subsystems. I think whatever that’s needed to expedite or to make the service more efficient, you have to have the single view,” Dr. Zakaria said.

“The single view is (what) everyone’s aiming for. I’ve seen various successful deployments of that. I think some of the challenges in the healthcare sector have to do with legacy stuff. I do see a lot of organisations talking about the single point, but I don’t think we’re quite there yet. But that’s where we’re going,” Jackson added.

Cloud security and beyond

As more and more industries are leveraging the power of cloud to amplify their digital transformation efforts, could the healthcare sector be any different?

Leong observed that their industry is quite conservative, compared to others, when it comes to the cloud.

“When you go to cloud adoption, most organisations believe that the first thing they need to do is risk assessment. Every organisation has a different risk appetite. I think (healthcare) organisations (need to determine) what’s their risk appetite, what type of data they are comfortable putting on public cloud, what type of data they are comfortable putting on private cloud, and which they (want to) put on-prem,” he said.

Because of the vastness of cloud service providers, Jackson advised to have a thorough assessment of which vendor would best fit the needs of a particular organisation.

“All cloud providers are not born equal. Pick them carefully, do your research, and definitely qualify them through. At BlackBerry, we have our own secure cloud infrastructure. In Japan for example, I do a lot of work with healthcare initiatives, (and they use) a mixture of private as well as external cloud,” he said.

Meanwhile, Leong described the cybersecurity of the Singapore healthcare system as a journey of maturity, not only of systems and processes, but also of people.

“You’ve got to keep running, trying to chase after the malware that is ever-evolving. We can fine-tune our practices and processes to be more secure. We can deploy the best firewall and the best advanced protection tools. But the key thing is to focus on our weakest link, which is our people. We think technology protection is like building a castle, but if you don’t protect every vehicle that goes into your castle, whether there’s a Trojan, they will go inside no matter what kind of protection investment you have put in place. So focus has to be shifted from spending money to acquire all the VPNs and all the protection, to really grinding and getting the maturity out of your staff, your clinicians, and your businesspeople to be aware and to be careful,” he emphasised.

Jackson seconded the emphasis on security awareness and education, noting that understanding the evolution of threat actors is crucial to safeguarding one’s IT infrastructure.

“What I do at BlackBerry is to help educate everybody with regards to cybersecurity. It’s not just the CISO and his team, but it’s everybody who’s involved in protecting information. There are lots of different tips and tricks that you can do. Certainly, we’ve seen some great innovation in the last three years or so with regards to using machine learning and AI to be able to identify threats. But you’ve got to remember, all it takes is one phishing email, and the whole thing falls to pieces anyway. So it can be a big, big challenge,” he concluded.