Stethoscope lying on computer keyboard; protect patient data concept

Protecting Patient Data From Key Security Risks

As patient data proliferates, it opens up new opportunities for treatment, research and development of specialty therapies for rare diseases. Yet more data also means more risks and so the need to protect patient data.

In a presentation at the Asembia 2022 Summit, URAC president and CEO Dr. Shawn Griffin identified five major security risk factors for patient data: physical, backup systems, technical precautions, malware and ransomware, and system types.

By addressing these risks, participants in the specialty pharmaceutical industry can improve the quality of their efforts while also protecting proprietary information and patient privacy.

Technical Precautions

Technical precautions cover many of the scenarios people imagine when they think of cybersecurity. They include unauthorized access to data and continuity disruptions.

Technical issues rank highly among business leaders’ concerns. A 2022 PwC survey found, for example, that 40 percent of business leaders called cybersecurity breaches their biggest business risk concern. Another 40 percent considered cybersecurity breaches a “serious risk.”

Technical precautions that can improve data security include:

  • Encryption. Encrypted data is useless to anyone who doesn’t have the software required to decrypt it — offering an added layer of protection.
  • Role-based access controls. RBAC tools limit access by role, which limits the damage a person with stolen credentials can do once they access the system.
  • Regular risk assessments. Identifying risks is an essential first step to addressing them. Regular risk assessments help your teams stay vigilant.
  • Business continuity plans. Businesses without continuity plans are at much higher risk of bankruptcy or closing if a disaster or loss occurs. A continuity plan mitigates this risk.

Training is also an important part of enforcing technical precautions. Employees who aren’t trained in the importance of protecting their login credentials or access cards, for instance, are more likely to courteously use these items to help others — and may inadvertently help an unauthorized person gain access in the process, writes Micke Ahola at Usecure.

Physical Risks

Many data security efforts focus on cyber risks. Yet physical risks also pose a threat, notes Mark Herrington in the Harvard Business Review.

Physical risks include people gaining physical access to a computer system in order to get to the data the system contains. These risks also include damage to the system through fire, flood or other events, which can result in a loss of data.

To address physical risks, minimize and control access to the system. Role-based access controls (RBAC) tailor access for users based on pre-assigned roles. An unauthorized party who gains access to the user’s credentials can only access or compromise items that user’s role is allowed to view — automatically limiting the damage an unauthorized user can do.

Another way to minimize physical risk is to use offsite data storage. Offsite backups help ensure that data is preserved even if physical damage to a server or storage drive occurs.

Finally, coordinate the efforts of physical security teams and cybersecurity teams. When these teams work together, they can find ways to use their respective areas of expertise to boost the other team’s efforts, writes Douglas Miorandi at Security Infowatch.

Data security professionals discussing findings on tablet; protect patient data concept

Backup Systems

To address physical risks of loss, many companies rely on backup systems. But what happens if the backup fails?

Approximately 140,000 hard drive failures occur in the United States each week, writes Barry Elad at Enterprise Apps Today. Only one in every four companies has a disaster recovery plan that includes backup systems, and a shocking 96 percent of U.S. businesses don’t back up individual workstations.

Even when backups are performed, they may not capture everything. Up to 60 percent of backups aren’t complete copies of needed business information, writes Elad.

It’s not enough for businesses to make backups. For security, it’s important to test backup systems regularly. Testing ensures these systems are doing their job — creating complete, accurate copies of essential data that are not corrupted or compromised.

To reduce the risk of unauthorized access, ensure that the backup is only connected to the device it is backing up. Use a physical connection for backup devices on site and appropriate security software for cloud or air-gapped backups.

Malware and Ransomware

Malware and ransomware attacks have made headlines in recent years. In 2020, the number of ransomware attacks increased 150 percent, writes Brenda R. Sharton in Harvard Business Review. Costs rose even more quickly: Businesses subjected to ransomware attacks paid 300 percent more in 2020 than in the previous year, writes Sharton.

Ransomware prevents a system’s authorized users from accessing some part of the system or its data. Those that execute the ransomware attack have the ability to allow access again — which they’re willing to provide in exchange for a ransom payment.

In July 2022, the U.S. government issued a warning aimed specifically at health and pharmaceutical companies. Government officials warned that a wave of ransomware attacks might hit these industries in the coming years, writes Nicole DeFeudis, editor at Endpoints News.

Best practices to address malware and ransomware threats, according to CISA, the U.S. Cybersecurity and Infrastructure Security Agency, include:

  • Identify assets that are searchable with online tools. Once these are identified, take steps to reduce online searchability or to protect it with encrypted platforms and other tools.
  • Train staff members to protect against ransomware. Teaching staff members best practices in spotting and addressing malware and ransomware vulnerabilities can help prevent or mitigate an attack.
  • Keep software current with patches and updates. Regular updates and patches address vulnerabilities that could otherwise be exploited by malware and ransomware users.
  • Consider all points of cyber access. Email attachments, websites and smart devices like internet-connected security cameras or lightbulbs can all become access points for malware or ransomware. Consider every potential point of entry to your network when creating a security plan.

Here, physical and cyber security teams can coordinate to boost efforts as well. For instance, physical teams can often quickly identify which internet-enabled items are present on the premises, allowing cyber security teams to identify and protect these items, or allowing teams to decide to replace these items with offline devices.

Healthcare professional looking at patient data; protect patient data concept

Types of Systems

Different types of systems demand different approaches to security. Out-of-the-box software often has security features built in, but these may not be compatible with other software, writes Carmi Levy at Step Software. A custom build can be tailored from the ground up, but the associated costs and time are prohibitive for many organizations.

Often, a hybrid approach offers the most flexibility and security for companies. Highly configurable out-of-the-box solutions offer a quick start that can be tailored to the needs of users. An integrated approach to security management can combine open source options with security monitoring to ensure the right systems are in use in the right contexts, writes Sandra Bateman at Wisestamp.

Data is key to pharmaceutical research and patient treatment. Managing data effectively demands attention to a wide range of potential risk scenarios. Those who take the time to understand and address these risks protect their own efforts, improve research quality and build trust by keeping patient, provider and payer data safe.

Images used under license by