Industry Voice: Safeguarding sensitive healthcare data in a globalised world
Dominic Steptoe, Chief Product Officer at BOXX Insurance, tells ITIJ about balancing the need for digital innovation with cyber risk and security when it comes to customer information – especially for medical assistance
Technology continues to revolutionise healthcare beyond cutting-edge research and high-tech lifesaving equipment. Healthcare sectors around the world are shifting to digitised medical records, integrated health information systems, and shared networks. For patients, this means improved accessibility, efficiency, and quality of care. It also means that highly sensitive data is being exchanged between healthcare providers across countries, over borders and between jurisdictions.
Transferring medical information introduces a host of risks and complexities that can compromise patient privacy, security, and even healthcare outcomes. Differences in data protection laws between countries could result in inadequate safeguards for transferred data. And where there’s vulnerable data, there are cybercriminals.
In 2022, global cyberattacks against the healthcare industry increased by 74%, and personal health information (PHI) outsells credit card details on the dark web. And yet, on average, healthcare providers allocate no more than 7% of their annual IT budgets to cybersecurity. It’s a significant gap that hackers are ready to exploit.
Cybersecurity in healthcare affects us all. We need to understand what risks come with digitising and sharing sensitive medical information. What data privacy laws are in place? How is the healthcare sector protecting our data? Do the benefits of integrated healthcare systems outweigh the risks to our privacy? These are very good questions. Let’s find out.
Digitisation brings many benefits to healthcare. Electronic health records enable providers to swiftly access patient information, enhancing the efficiency of care delivery.
Additionally, telemedicine platforms facilitate remote medical visits, improving access to healthcare services. However, the risks can’t be ignored. Medical data leaks, like unauthorised access to breast cancer records by hackers, show the dangers of storing and transmitting sensitive information online. As healthcare gets more connected, protecting patient privacy becomes crucial.
Cross-border risks in medical data transfers
Varying regulations and standards governing data protection and privacy in different regions could lead to potential legal and compliance challenges. For example, what happens if a patient undergoes medical treatment in one country but then seeks care or consultation in another? The transfer of their medical records from one healthcare provider to another may involve transmitting sensitive personal health information across borders. The risk of unauthorised access, data breaches, or misuse of patient information escalates. Cybercriminals may exploit vulnerabilities in the transfer process to intercept, steal, or manipulate medical data for malicious purposes, such as identity theft, financial fraud, or even extortion. A lack of harmonised standards for data encryption, storage, and access control across jurisdictions can make it very challenging to ensure the security and confidentiality of transferred medical records.
Cultural differences, language barriers, and disparities in healthcare practices between countries can pose additional challenges. Misinterpretation or miscommunication of medical information during the transfer process may lead to errors in diagnosis, treatment, or medication management, potentially compromising patient safety and wellbeing.
In healthcare, managed file transfer (MFT) systems help hospitals share patient data between different places. This can mean thousands of daily transfers to banks, insurance companies, government agencies, and other hospitals or medical offices. It can also mean serious risks to cybersecurity.
In February 2023, a mass cyberattack on Fortra’s popular file transfer software, GoAnywhere MFT, led to the theft of personal and health data from millions of Americans, including 960,000 paediatric mental health patients.
In navigating the complex landscape of data privacy, it is essential for healthcare organisations to understand the regulatory requirements governing the protection of patient information
In February 2024, a cyberattack paralysed Change Healthcare – the largest billing and payment system in the US. As a result, thousands of providers were unable to secure insurance approval for services, from drug prescriptions to lifesaving surgeries, or receive payment for their services. Prescription drug supplies dried up and care homes closed. It’s reported that hackers exploited flaws in a remote access application called ConnectWise ScreenConnect to bring the healthcare giant to its knees. The total cost to the healthcare system and patients still remains to be seen.
Understanding data privacy laws and compliance
In navigating the complex landscape of data privacy, it is essential for healthcare organisations to understand the regulatory requirements governing the protection of patient information. One such piece of legislation is the General Data Protection Regulation (GDPR) which sets stringent standards for data privacy and security in the European Union (EU), particularly concerning medical data.
One of the key principles of the GDPR is the requirement for explicit consent from individuals for the processing of their personal data. This principle applies to medical information as well, ensuring that patients have control over how their sensitive health data is collected, used, and shared. Additionally, the GDPR mandates that organisations implement robust security measures to protect personal data from unauthorised access, disclosure, or alteration. And there are provisions for the cross-border transfer of personal data, allowing transfers to countries outside the EU only if adequate data protection safeguards are in place. This is particularly relevant to healthcare providers exchanging medical information internationally.
Other countries and jurisdictions can look to the GDPR and other data privacy laws as a guiding framework for developing their own data protection laws and regulations, especially concerning medical information.
To reduce the risks of data breaches, healthcare organisations should be proactive in safeguarding patient information. The Information and Data Protection Commissioner (IDPC) suggests using consent forms, privacy policies, and encryption methods to keep medical records safe from unauthorised access. Additionally, maintaining backup copies of medical data ensures that patient care can continue even if there are system failures or data losses.
It’s also important to provide regular training and awareness programmes for staff to foster a culture of data privacy and security within the organisation.
Mitigation strategies for data security
In addition to preventative measures, healthcare organisations should adopt mitigation strategies to enhance data security. These include:
- Sharing data on a need-to-know basis
- Implementing multi-factor authentication (MFA)
- Conducting regular assessments of cybersecurity measures.
Partner review processes are also essential for evaluating the cybersecurity posture of third-party vendors and service providers.
By ensuring that all partners adhere to the same standards of data privacy and security, healthcare organisations can minimise the risk of data breaches and protect patient confidentiality.
For healthcare organisations, a thorough comprehension of data privacy requirements within their operational jurisdictions is paramount. Global variations in privacy laws necessitate a strategic approach, typically involving adherence to the most stringent standards, such as the GDPR. Notably, the GDPR stands out for its exhaustive provisions concerning the protection of medical data.
With the escalating cyber threats targeting this industry, it is imperative for healthcare providers to devise a robust security strategy
Moreover, cybersecurity holds immense significance in the healthcare sector. With the escalating cyber threats targeting this industry, it is imperative for healthcare providers to devise a robust security strategy aimed at bolstering prevention measures. In this regard, cyber insurance emerges as a crucial asset, offering financial recourse in the event of cyber incidents. Such insurance coverage extends to expenses associated with data breaches, regulatory fines, and legal fees. To maximise the efficacy of cyber insurance, healthcare providers should seek out policies that come equipped with cybersecurity services and expertise that focus on a prevention-led approach.
While digital innovation promises improved accessibility and efficiency, it also presents risks to patient confidentiality and data security. However, through proactive investments in cybersecurity infrastructure, adherence to data privacy regulations and by leveraging cybersecurity insurance, healthcare providers can manage risks to safeguard patient information effectively.
November 2024
Issue
This month we look at affinity partnerships and ask if online travel agencies are the perfect partners for insurers; we cover the trends around cruising in the Mediterranean; we delve into the specifics of the Austrian healthcare system; plus we examine international healthcare and technology, asking how far can technology go.
Dominic Steptoe
Dominic is responsible for setting BOXX’s global product strategy and leading marketing and communications across the company. Before joining BOXX, Dominic held senior product and marketing leadership roles at American Express, where he led both regional and global teams for 25-plus years, based in London, New York, Hong Kong, Singapore and Switzerland.
February 2025
Issue
Offering readers a deep dive into the issues facing providers and payers of healthcare services around the world. Cost containment, international patient department development, the role of AI in healthcare delivery and more.