Healthcare Data Security and Protection
March 17, 2020
Example:The Insurer Dominion National reported a nine-year hack on its servers, which potentially breached the data of 2.96 million patients. An internal alert revealed unauthorized access on its systems, which prompted an investigation. Officials said they found the unauthorized access began as early as August 25, 2010, nearly nine years before the breach was discovered in April 2019.The servers contained enrollment and demographic information of current and former members of Dominion National’s vision plan, and data of individuals’ dental and vision benefits. Data of plan producers and health providers were also compromised.On another instance in May 2019, AMCA an 8-K filing with the Securities and Exchange Commission revealed billing services vendor American Medical Collection Agency was hacked for eight months between August 1, 2018 and March 30, 2019. The breach is estimated to have impacted 25 million patients.
Compliances and various Cybersecurity offerings
This law derives principles from the European Union’s General Data Protection Regulation, including purpose limitation, accuracy, integrity and confidentiality. Any health-related information and data that originates in the UAE may not be stored, processed, generated or transferred outside the UAE. This has a direct effect on foreign companies that provide cloud-based services, in addition to local companies that use these services.
With regards to enforcement, healthcare providers that violate certain provisions of the New Health Data Protection Law may face fines ranging from 1,000 to 1 million dinar, effective from May 2019. Although the legislation has the clear intent of enforcement, it is not clear whether the Ministry of Health and relevant authorities will take immediate action.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US law that was passed to safeguard sensitive patient data and was applicable to the entities who dealt with Patient Health Information (PHI). This included covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.
The penalties for violating HIPAA rules are severe and range from $100 to $50,000 per violation (or per record) up to a maximum of $1,500,000 per year and can carry criminal charges which could result in jail time. They are incurred if PHI (or ePHI, Electronic Personal Health Information) is released to the public in unencrypted form of more than 500 records.
It promotes standardized electronic health records (EHR). The act was implemented in 2009 to address the privacy and security concerns of patient data, EHR files and how they’re shared. HITECH strengthens the enforcement of HIPAA’s protected patient information rules, requiring the Department of Health and Human Services Office for Civil Rights to conduct periodic provider audits and stiffening penalties for breaches of information, meaning a provider or facility found noncompliant can face a fine of up to $1.5 million.
The General Data Protection Regulation (GDPR) is a privacy standard aimed at protecting the personal data and privacy of the EU citizens and residents. The rules grant people more rights regarding how companies handle their personally identifiable information (PII), and it imposes heavy fines of up to 4 percent of a company’s yearly revenue for non-compliance and data breaches. The PII includes name, address, IP address as well as genetic data, information about religious and political views, sexual orientation, etc.
Below are the rights that are specified as per GDPR:
- Right to be informed
- Right of Access
- Right to be forgotten- The ability to request that data be deleted or corrected for accuracy
- The right to object to data processing and restrict processing
- The right to have their data provided in a standard format that can be transferred elsewhere.
The National Electronic Security Authority (NESA) is a UAE federal authority that operates under the Supreme Council for National Security.
NESA is meant to limit the exposure of data loss and data breaches by government agencies. The regulation comprises of 188 controls across various priorities and is mandated for UAE government entities, and other NESA mandated entities and is a minimum requirement for integrity of the sector and national platforms.
NESA contains a combination of Management control domain as well as Technical control domains, which will look into the conventional cybersecurity domains with a touch of improved management governance.
ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards. It specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.
Technology audits are core technical configuration reviews, which will include Vulnerability Assessments (VA), Penetration Testing (PT), various infrastructure configuration reviews and IoT reviews. These audits are performed to review the exploitable flaws in various systems and assign the degree of vulnerability.
Effective BCMS is required to ensure that the business is working fine in terms of securing the patient data and history and should be made available as and when required.
- Identification of PII and PHI and systems that processes or stores the same
- Perform Risk Assessment
- Perform Privacy Impact Analysis
- Perform GAP analysis on collection, processing or storing of PII or PHI
- Perform VAPT, configuration reviews, IoT reviews etc.
- Suggest recommendation for fixing the gaps
- Provide guidance on implementing the recommendations
Request a call back from out technology advisory team to help you set