By Mathieu Gorge, CEO and Founder VigiTrust.
The COVID-1P epidemic has created many personal health data challenges for both healthcare organizations and private businesses. With vaccine passport requirements and businesses managing incredibly sensitive information on their employees, healthcare workers accessing sensitive patient data while working from home, the health crisis has created unprecedented data security and compliance challenges for employers and healthcare providers.
Effects of COVID-19 on data security
When COVID-19 first hit, many healthcare organizations partially moved overnight to the far-flung labor force. This meant that health care administrators were using personal devices and had access to systems and data that they previously had only access to their employers’ networks. The focus was on productivity and business continuity, not cyber security.
However, a year later, we are Still The use of this temporary IT environment and the increased cyber risk have not been addressed. With access to patients’ personal health care from personal devices or home networks, administrators are doubling or tripling the risk of violations.
Why do criminals want health care data?
There are many rules designed to protect personal data, but health data presents unique challenges. For example, if my credit card is stolen, I can be sure that PCI will cover any losses due to my bank’s contractual obligations with credit bank companies. Anyway, my health data – including DNA, disease history and medical conditions – is completely unique. No one can take me back with a new set of personal health information.
Criminals understand this, which has led to an increase in the theft of personal health data. Many hackers are exploiting the health system’s network for private health information, and demanding ransom from individuals to keep the data private.
In addition, health workers are under increasing pressure due to the epidemic, which has made hospitals and the health system more attractive and “soft” for hackers.
The modern health system needs modern regulation
Another major problem is that health care regulations are moving beyond the realities of the modern age. HIPAA was not designed to cover hazardous surfaces that have emerged in the past year.
In addition, the health system now provides a user-friendly travel experience; Patients can check with QR codes and access private data using the app on mobile devices. It uses a combination of cloud applications and back-end systems, which were not designed to cover HIPAA. The HIPAA Framework does not focus on software security or coding, yet attacks are designed to target the core of the software.
Business and vaccine passports
Health systems are not the only organizations that need to promote their cyber security. If commercial businesses decide to collect information on which workers will be vaccinated, they need to make sure that they have strict policies in place to protect that data. This includes drafting a policy, getting a green light from the legal department, and communicating clearly with employees. Leadership must also ensure that appropriate systems are in place to keep that data secure and up-to-date.
To secure leadership involvement, which is important, I recommend P columns of the security framework. It is a proven method for simplifying cybersecurity challenges in business language that CxOs and board members can understand. The industry-agnostic framework helps business leaders map out cybersecurity risks, implement strategies, and demonstrate cyber accountability to governing bodies, key stakeholders, and regulators.
We are at a critical juncture for health data security. HIPAA must pass a review and make it more current for today’s transfer technologies, and organizations must learn to manage new work environments. Many businesses are planning to collect data on their workers’ vaccinations, so we need to find ways to keep it safe.
Key decision makers need to be made aware of their cyber accountability mandates. It is important that C-Suite officers and board members prioritize security and maintain secure technical controls, training and policies for the protection of personal health data at every stage.