Protecting Our Health Data

08 September 2015

Amethyst's Mark Chown looks at how we can all take better care of our health information

 

The protection of our health information is important to us and we expect it to be protected by the organisations that collect and use it.  The recent Anthem Health Insurance[1] breach in the US that resulted in the theft and compromise of an estimated 80 million individual’s sensitive personal data demonstrates the scale of the problem.  This is not just an issue confined to the private sector, the latest US Government breach involved  over 20 million personal records which included  health data.

Our health information is collected and processed by multiple and diverse entities like Health practitioners, researchers, government departments, gyms, insurers and pharmacies.  More recently we have seen the emergence and growth of health and fitness apps offering a variety of ways of storing and sharing your health profile.  Health professionals are generally very aware of their duty of care responsibilities and their requirement to protect health data. However, as the data becomes increasingly digitized, the risk of a compromise increases as it moves into potentially less assured environments and access to it becomes easier.

The protection of health information is a security challenge for information security practitioners for a variety of reasons:

  • Health data needs to be protected from those who are unauthorised to access it (Confidentiality) but it also needs to be readily available to those making important clinical decisions particularly in emergencies (Availability)

  • Public health treatment facilities storing sensitive data and systems, e.g. hospitals and clinics, are difficult to physically secure as the public need access to them

  • We need a high level of confidence that our health data is accurate (Integrity) as failure to maintain records can result in poor clinical treatment or being financially disadvantaged during insurance processes

  • The sensitivity of health information is variable, for example mental health conditions are generally considered more sensitive than a simple broken bone

  • Personal health data for some individuals might be at more risk than others, e.g. VIPs, celebrities and those working in sensitive positions with access to classified data

  • Structured and unstructured health data is recorded in various formats; on paper, on clinical devices, in e-records, in mobile apps

  • Some individuals are more open about their health than others so we need to find a way to cater for the differing expectations of individuals

  • Health data is a valuable resource and essential for conducting research but it does pose security challenges and it is sometimes difficult to balance conflicting priorities.

The image of a traditional paper library of bulky and weathered medical files in a GP practice has become a distant memory. The digitisation of health data and use of big data techniques to analyse it is to set to continue at pace.   We therefore need to ensure that it continues to be used appropriately and that it remains safe; but how should we do this?

As Individuals

  • Take ownership of your health data and actively engage in its management

  • Understand who holds your data, why and who has access to it

  • Take the opportunity to review your health records for accuracy

  • If asked to provide health information ensure the request is valid

  • Only use secure trusted devices to access your health records and ensure you use strong passwords

  • When installing and using health and fitness apps ensure you understand how your data will be shared

  • Follow advice; the NHS provide guidance to individuals on managing secure access to their health data: http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Documents/PatientGuidanceBooklet.pdf

As Organisations

  • Ensure all health data is identified and the data flows are understood

  • Undertake regular risk assessments to ensure that data is being appropriately protected

  • Consider implementing an Information Security Management Systems (ISMS) such as ISO/IEC 27001 that will assure compliance with good practice

  • Ensure you understand and comply with the legal requirements of the Data Protection Act

  • Implement and maintain strong access controls that provide the required granularity

  • Ensure that essential audit trails are maintained and secured

  • In clinical environments provide security solutions that are sensitive to the needs of the health professional and environment they work in e.g. biometric authentication processes, single-sign on etc

  • Make sure employees understand their duty of care obligations when handling sensitive data

  • Be very careful when seeking to use techniques intended to anonymise/pseudonymise/obfuscate data.It is very easy to adopt a flawed approach that allows reverse engineering of de-sensitised data

  • Follow advice; The Information Commissioner provides guidance to organisations processing health data: https://ico.org.uk/for-organisations/health/Additional information is available from the NHS: https://ico.org.uk/for-the-public/health/

If you would like to discuss how Amethyst might help you develop your people security programme, please email us at sales@amethystrisk.com

 


[1] Anthem Facts https://www.anthemfacts.com/

Contact us for more information


<< Back to Latest News items