On 1 July, the Protection of Personal Information Act (POPIA) came into effect in South Africa. The impact this will have on the healthcare industry is immense. Under the POPI Act, health information (such as diagnoses, pathology results, blood pressure readings, etc) is not only considered personal information, but is designated as “special personal information”. According to Paul Saunders, Product Manager: Data Analytics at Altron HealthTech, this stresses the need for data processors to take extra care when processing and storing these types of data. Recently, a vulnerability was exposed in the system of a South African company that specialises in this field. Fortunately, no data was stolen, but the fact that a system that stores such sensitive information could easily be breached is extremely scary.
An article in GlobeNewswire shares some interesting statistics from the ForgeRock Consumer Identity Breach Report. The article states there has been an increase in the number of healthcare records breached in the first quarter of 2020 versus the first quarter of 2019.
Saunders goes on to say that patient information might well be the most valuable type of personal information: “A patient’s health information is worth six to 10 times what credit card information on the black market would fetch.”
Joe Venter, Pre-Sales Consultant for CyberTech, a division of Altron, adds: “Recent studies have shown that the focus on theft of data moved from financial to healthcare as this type of information attracts bigger monetary value on the black market. Organisations, especially in the healthcare and financial sector, are recognising the true value of encrypting data, not only at rest, but also in motion. These organisations are also acknowledging that there is another aspect that goes hand in hand with data encryption, which is often overlooked but is crucial when it comes to any form of encryption, and that is key management. If the keys protecting the data are not secured and managed correctly by an organisation, data encryption becomes pointless. Not only do these measures ensure adherence to requirements within these organisations, but importantly, they provide their customers/patients with peace of mind that their information will be protected during a security breach.”
The two major challenges IT service providers in the healthcare industry face are the high costs associated with protecting such sensitive information and the vast volumes of data that need to be stored and protected. Saunders says: “Remember, your personal information, like your ID number, date of birth, address, etc, are either set in stone or rarely changes. This means that service providers can store and protect it more easily. Healthcare information is constantly changing. The volume of it keeps growing. A simple patient consultation generates a huge volume of sensitive data. With volume comes complexity and with complexity comes more opportunities for criminals to slip in through the cracks.”
When it comes to data security, organisations are expected to have the necessary controls in place to protect data in any form. Future-proofing cyber security is difficult because essentially no one knows what is around the corner. No security system is 100% effective, and hackers are always preparing for a breach and ransomware attack, with large and small healthcare providers finding themselves as key targets regularly. Healthcare will always be a huge target for cyber thieves simply because of the amount of information created with every doctor’s appointment or surgical procedure.
Saunders says: “The healthcare industry has been ‘a little behind’ in embracing technological innovation. Many of the hospital groups are working on dated systems that leave them vulnerable to attacks.”
Venter reiterates this point by adding: “During COVID-19, the Life Healthcare Group was the most recent victim of an attack where they had to take their systems offline after a 'targeted criminal attack' on the IT system.”
However, Saunders also goes on to say there is a concerted effort among hospitals to refresh their systems, making them more state-of-the-art.
This also speaks to a patient’s level of comfort in sharing their data. The sharing of data between patients and doctors and between different healthcare providers via an interoperable system will not only provide medical professionals with a more comprehensive view of a patient’s health, but will also assist in removing unnecessary tests that are being re-done, for example. However, for a system like this to optimally function, Saunders feels that patients need to feel confident that the healthcare provider they share their data with can protect their data. The ripple effect of this is that these providers will require the technology companies that store their data to have the best possible measures in place. This is where certifications like ISO27001 and HIPAA are crucial.
Posed with the question of what his opinion is on healthcare providers (and organisations in general) running and maintaining their own data centre management, Saunders says there are pros and cons. “If you are hosting it yourself, you have control over it, but, for example, the necessary certifications required are extremely tough to obtain/keep and it can be very costly.” He feels that a hybrid approach, which is used most often, where an organisation will keep the more sensitive information behind their firewalls while pushing the less sensitive information into a cloud environment, is a good balance.
Saunders goes on to say that Altron HealthTech works closely with CyberTech, a division of Altron, to ensure their software is secure. CyberTech conducts regular penetration testing and vulnerability assessments on all the software that it hosts.
The importance of securing patient information cannot be underestimated. According to the ForgeRock Consumer Identity Breach Report 2020: “The healthcare sector accounted for 45% of data breaches in 2019, followed by the banking, insurance and financial sector at 12%. Researchers calculated the $17.76 billion spent on data breaches amounted to about $429 per breached patient record, up 5.14% from 2018.” These statistics just reiterate how important it is for all healthcare providers to make sure any data they store is secure.
Saunders concludes by saying any service provider that stores special personal information needs to make sure that “their house is in order” before the 12-month grace period on POPIA runs out. Aside from the hefty fines that can be issued, the reputational damage a healthcare provider or their IT service provider can suffer because of a data breach can be disastrous.