Dr Vijaya Sunder, Assistant Professor, Indian School of Business (ISB) and Dr Agniva Das, practicing clinical doctor and a management student in the Post Graduate Program (PGP), ISB talks about the digital technologies to safeguard digital data
Data is the new oil with the rise of digitalisation in healthcare, leading ways for business insights. With digital systems capable of capturing, classifying, analysing, and reporting health data, decision support systems in this sector have evolved. Health data refers to all data related to health conditions, outcomes, causes of death, and quality of life.[i] In 2012, the healthcare data was approximately 500 Petabytes, and the same was expected to grow 50 times, i.e., 25,000 petabytes by the end of 2020.[ii] Research shows evidence of a wide spectrum of advantages of digital data, ranging from administrative to critical, life-saving services. From the basic health infrastructure like electronic health records that help track the patient history to enabling robotic surgeries or diagnosis and staging of complex diseases like cancer, data-based decision support systems have come a long way.[iii]
However, on the flip side, more data means more privacy concerns for the stakeholders involved.[iv] Stakeholders common across different health systems worldwide include patients, doctors, hospitals/providers, insurance companies/payors, third-party administrators, and regulatory bodies/governments. For instance, in 2019, a class action lawsuit related to a 2015 data breach at UCLA Health that impacted 4.5 million patients was resolved, with the university paying a settlement of $7.5 million.[v] In the last three years, the frequency of breaches has nearly doubled – from 368 cases in 2018 to a staggering 715 cases in 2021, a 100 per cent increase.[vi] The average time to identify and contain such a data breach was higher in the healthcare sector than in most others. Specifically, it takes about 232 days to identify and 85 days to settle a health data breach.[vii]
Implications of data breaches
Beyond the data breach resolutions that could be quantified, several long-term negative implications include loss of brand image and reputation, patients’ perceptions, and associated business impact on providers discussed below.
Financial implications: Federal Statistics reveal that the number of people affected by healthcare data breaches since 2009 has exceeded the population of the United States, indicating that many have been affected more than once. IBM reported that healthcare had held the top position over the last 12 years compared to other service sectors and manufacturing on data breaches, with the highest cost implications. The average breach cost of health data in 2022 was $10.10 million (a 9.4 per cent rise from $9.23 million in 2021), about 2.5 times higher than the average global data breach cost ($4.32 million) across industries.[viii]
Enterprise implications: Losing customer trust can profoundly impact a firm’s reputation and brand image. This can result in a higher patient turnover rate, leading to an unstable customer base and complicating long-term growth planning. A tarnished reputation can also make it challenging to attract new patients to offset any losses. A report by PwC indicated that if reasons for mistrust in a business arose, 87 per cent of beneficiaries would turn to alternative providers or competitors.[ix] Alongside hospitals, medical device companies in sharing economies and insurance firms also suffer these implications.
Patient implications: These include hackers obtaining access to patients’ personal information, such as medical records, insurance details, and payment records. They can impede the delivery of essential medical treatment and, in some worst cases, even put patients’ lives in immediate danger. A ransomware attack in September 2020 encrypted files on Universal Health Services (UHS) to make patient data inaccessible and affected over 400 facilities, forcing the company to shut down its operations to prevent its spread. As a result, UHS had to resort to manual processes and paper records, causing significant disruptions to patient care, alongside a USD 67 million payoff.[x]
Thus, it becomes imperative for healthcare systems to take necessary precautions and controls to prevent data breaches and protect health data. Healthcare firms cannot afford to trade off the safety and security of patients for the benefits of digitalisation. In this vein, to what extent digital technologies can protect digital data becomes a relevant question for research and practice.
We used a multi-method qualitative data collection approach to address the above exploratory question. This inductive research included interviews with digital health administrators in corporate hospitals and academic leaders in the healthcare domain. For cross-validation and analysis, we relied on secondary data from the healthcare industry reports and websites of health service providers. A summary of our analysis and synthesis of qualitative data is presented below as key highlights for managerial implications.
Digital technologies to safeguard digital data
We propose the below five digital technologies and associated deployment approaches for safeguarding digital health data in hospitals.
Secure messaging platforms: Messaging platforms are any generally third-party-owned or native communication services that enable participants to transmit and receive messages digitally across various value chain entities. These may include short message service (SMS), rich communication services (RCS), email, chat applications, and voice assistants. Typically, secure messaging platforms use server-based approaches to protect sensitive data when sent beyond corporate borders, and it provides compliance with industry regulations. Specifically, in healthcare, secure messaging platforms adhere to HIPAA-compliant communication, regulating access to text conversations between patients and providers.
“Secure messaging is crucial in virtual healthcare, enabling healthcare professionals to communicate openly with patients while maintaining the privacy and providing accurate diagnoses,” said a Chief Digital Officer of a popular hospital
“TigerConnect is the fabric that ties all our communication together; it’s helping us collaborate efficiently and make informed decisions to provide the best care for our patients,” said Dr Jonathan Slotkin, Associate Chief Medical Informatics Officer at Geisinger Health.[xi]
Cloud-based storage solutions: Cloud storage solutions for healthcare involve using remote servers on the internet to store and retrieve data managed by third-party providers. They can be accessed from anywhere using a web browser or mobile app. “Compared to traditional on-site storage options, cloud storage offers benefits such as the ability to grow or shrink storage as needed, easy access to data, and improved security measures,” said the head of IT operations of a multispecialty hospital in an interview.
Blockchain technology: Blockchain in healthcare is used for everything from securing patient data and managing the pharmaceutical supply chain. In the health sector, blockchains may be particularly useful for identity verification and managing dynamic patient consent, data sharing, and access permissions. With blockchain, healthcare providers can ensure that all data is secure and only accessible to authorized personnel. It can also provide an audit trail of the data if any kind of unauthorised access has been attempted. Blockchain-enabled applications allow patients to access their medical records, data, and information. “[…], these applications enable healthcare providers to securely share patient information with other providers and third-party agents and organizations,” informed a healthcare administrator of a reputed corporate hospital well known for its digital health services. Furthermore, blockchains provide a secure and verifiable way for patients to pay for medical services and for healthcare providers to receive payment securely. In sum, blockchain ensures healthcare data remains secure and shareable with only the parties authorised for access when they need it.
Zero trust security model: The zero trust security model assumes that all devices, users, and networks are potential security threats and implements security measures such as multi-factor authentication and device management to mitigate these risks. Zero trust is not limited to just one technology or strategy; it is a comprehensive approach to cyber security that establishes fundamental guidelines for processes and activities. A practicing physician turned administrator responded in the interview: “the Zero Trust Security Model is gaining popularity in the healthcare industry due to its focus on security at the device and user level, which is essential in a highly regulated industry such as healthcare, where patient data privacy is a top priority.”
Dr Larry Ponemon, chairman and founder of the Ponemon Institute, explained, “When people say zero trust, they are basically saying they’re going to do security at a very high level, and they can say they are looking at everything: your hypothesis is, everything is broken.”[xii]
Another respondent added, “[…], there had been a re-orientation towards building better security protocols for hospitals, but currently, it’s more of a mix of strategies, and that overall, healthcare security has to become wider, deeper, and more significant. That means a zero-trust approach.” Resonating this concept with Douglas McGregor’s Theory X, all organisational systems lack security by default. Starting with this hypothesis, Zero Trust Security Model builds to enable security through controls over the healthcare systems.
Artificial Intelligence (AI) and Machine Learning (ML): AI and ML algorithms can detect and prevent real-time data breaches and cyber-attacks. These technologies can also analyse data patterns and identify potential security threats. AI algorithms can analyse large amounts of data and detect potential threats, such as malware or suspicious network activity, in real-time. ML algorithms can be trained to identify patterns in healthcare transactions indicative of fraud, such as insurance claims fraud or medical identity theft. “ML algorithms can analyse user behavior to identify unusual or suspicious activity, such as unusual login patterns or unauthorised access to patient data,” responded a healthcare consultant. AI and ML are helping to enhance the security of healthcare data through two approaches: first, rule-based reasoning via robotics and desktop automation, and second, case-based reasoning using neural networks and other AI technologies. While the former enables digitalisation of the transactional processes, the latter helps to digitalise the cognition processes of the health value chain to improve threat detection and response times and reduce the risk of data breaches.[xiii]
Yet, implementing AI and ML in healthcare presents advantages and risks. AI’s openness increases the potential for new threats. Still, its ability to quickly identify and address vulnerabilities makes it a valuable tool for securing digital healthcare data and helps promote agility in health systems. Hence, healthcare organisations must secure and properly train these systems to prevent them from being misused by malicious actors.
Conclusion
This article provided five digital approaches to secure digital health data, an essential managerial obligation in the current digital era. With the increasing use of cyber-physical systems and human-machine collaborations, big data must be governed with secured controls to avoid devastating financial, enterprise, and patient implications.
Yet, the obligation to secure healthcare data cannot be attributed solely to one specific stakeholder, but across different other entities across the health value chain. Policymakers should enable ensuring healthcare data security by setting regulations, standards, data protection and privacy guidelines and holding health provider organisations accountable for data breaches. Digital native firms in the healthcare sector have a role in promoting and maintaining healthcare data security by practicing secure behaviors, advocating for privacy rights, and supporting the implementation of security technologies. Health providers should ensure healthcare data security by implementing secure technologies, regularly updating their security measures, training staff on data privacy, and following industry regulations and guidelines. Lastly, patients should demand healthcare data security by being informed about their rights, being cognizant of whom they share their personal health information with, and supporting healthcare organizations prioritising data security. We hope that the five digital technology recommendations provided in this article will serve as a strategic resource to all these health value chain entities to play an integral role in strengthening and helping attain the highest level of digital health security.
References:
[i] McGraw-Hill Concise Dictionary of Modern Medicine. McGraw-Hill. 2002.
[ii] Rai, D., & Thakkar, H. K. (2022). Cognitive big data analysis for E-health and telemedicine using metaheuristic algorithms. Cognitive Big Data Intelligence with a Metaheuristic Approach, 239–258.https://doi.org/10.1016/B978-0-323-85117-6.00003-0
[iii] Sunder M, V. & Modukuri, S., (2022). A Value-Driven Digital Strategy Framework for Healthcare Firms, California Management Review Insight, https://cmr.berkeley.edu/2022/12/a-value-driven-digital-strategy-framework-for-healthcare-firms/
[iv] Schoemaker, P. J., & Day, G. (2021). Preparing organizations for greater turbulence. California Management Review, 63(4), 66-88.
[v] Data Breach Today. (2022). Healthcare Data Breaches Doubled in 3 Years: Here’s Why. (https://www.databreachtoday.com/healthcare-data-breaches-doubled-in-3-years-heres-why-a-20516)
[vi] Security Intelligence. (2023). Third-Party Risk Contributes to Healthcare Data Breaches (https://securityintelligence.com/news/third-party-risk-healthcare-data-breaches/)
[vii] “Cost of a Data Breach” – IBM Security (2022) https://www.ibm.com/reports/data-breach?_ga=2.12758007.1129744681.1674318573-2045549970.1674318573
[viii] “Cost of a Data Breach” – IBM Security (2022) https://www.ibm.com/reports/data-breach?_ga=2.12758007.1129744681.1674318573-2045549970.1674318573
[ix] PwC Australia (2017). Protect.me: How consumers see cyber security and privacy risks (https://www.pwc.com.au/digitalpulse/report-protect-me-consumers-cyber-security.html )
[x] Gatlan, S. (2021, March 1). Universal Health Services lost $67 million due to Ryuk ransomware attack. BleepingComputer. https://www.bleepingcomputer.com/news/security/universal-health-services-lost-67-million-due-to-ryuk-ransomware-attack/
[xi] https://tigerconnect.com/wp-content/uploads/2022/11/case-study-geisinger-tigerconnect.pdf
[xii] https://healthitsecurity.com/features/exploring-zero-trust-security-in-healthcare-how-it-protects-health-data
[xiii] Parent, M., & Reich, B. H. (2009). Governing information technology risk. California Management Review, 51(3), 134-152.
- Advertisement -