IT managers in healthcare settings are increasingly balancing the need to keep highly sensitive data secure and ensure compliance with regulations while enabling innovation to improve patient experiences. Speaking to Intelligent CIO Middle East, Glyn Yates, Regional Lead, IMEA, Matrix42, highlights how IT managers in healthcare environments can take a proactive and holistic approach to protecting data.
What challenges are IT managers in healthcare environments experiencing given increasing digitisation?
IT security managers in hospitals and physicians in private practices, who usually have to take care of their own data protection, are now faced with the challenge of creating a legally compliant level of data protection for their patients without incurring major costs and deploying large numbers of staff.
In many hospitals, data is collected, processed and stored in the so-called hospital information system (HIS). Still, there are some challenges in dealing with various data repositories and transmissions.
Unchecked data enters the IT infrastructure through patients and physicians; this data must be recorded and always be accessible for further patient treatment. Risks arise here in the course of data protection but also malware infestation. This is because external data carriers are often contaminated with viruses and the like.
The loss of a data carrier with sensitive information can have immense consequences but the storage of data on local systems must also be secure.
In addition, there are further challenges in the course of medical devices, which may only be maintained to a limited extent, as well as the problem that many users have administrator rights on their ward computers.
How are healthcare IT managers managing compliance requirements – and can they do this more effectively?
Many IT managers in hospitals assume that most data requiring protection is in the hospital information system (HIS) and is therefore secure. Unfortunately, this is a misconception. Much data is, or must be, exported from the hospital information system, for example, in the course of emergency records which are used to ensure that patient data is accessible even if important services and systems such as the hospital information system are no longer available.
Similarly, many hospitals protect their IT systems only with firewalls and virus scanners. However, since the healthcare sector is currently under heavy attack from hackers, classic protective measures are no longer sufficient.
Visibility is crucial in healthcare settings – but how can IT teams obtain insight into the movement of patient data?
Internal and external threats can only be detected if sufficient monitoring measures are in place to provide more transparency and automation in the course of data security. External threats are best detected by monitoring data movements between devices. This should be particularly observed in the direction of and to medical devices and IoT devices, as well as the communications between classic end devices and servers.
If a so-called baseline service map is created beforehand based on network communications, lateral movements can be identified, which can show an anomaly or evidence of a hacking attack. Internal threats are prevented by controlling, logging, filtering and encrypting data storage and access.
Why is access management crucial in healthcare settings and how should IT managers approach this?
Since many IT users in the healthcare sector have administrative rights on the respective end devices, access to applications and interfaces should be particularly protected. Application and interface control is recommended here, which automatically detects and eliminates anomalies on the basis of access logging. Access to data such as the emergency file should also be more strongly protected.
How can organisations increase patient data protection despite reduced use of IT resources?
Data security can in many cases be designed built-in and on-the-fly. For example, a new system can be automatically equipped with hard disk encryption and multi-factor authentication during initial installation. Application control does not have to be regarded as a stand-alone solution, but manages itself automatically if, for example, software retention is combined with application control using the Trusted Installer function.
This means that users are only allowed to run applications that have been approved and rolled out by the IT department via software distribution. Encryption of data movement and storage is best done with file-based on-the-fly encryption on local folders, network paths, cloud and USB storage.
For example, the transfer of data for the cancer registry can also be automated, digitised and secured, with the export process of the data encrypted in the background right away.
Can you tell us about Matrix42 HEALTHCARE DATA and how it assists healthcare organisations?
Matrix42 HEALTHCARE DATA offers a holistic and integral solution for the protection of IT systems and patient data.
Based on years of cooperation with numerous health care organisations, a perfect package was created that protects patient data and co. according to the so-called C.A.F.E. (Control, Audit, Filter, Encryption) principle. These protective measures can be implemented without major administrative effort and user training – everything runs as usual, only secure.
What best practice advice would you offer IT managers on taking a proactive approach to protecting their sensitive data?
In the first step, it is important to create a situation picture of the current IT security situation.
Based on this, the following questions can be answered:
- Which interfaces (USB, cloud, network) are required by users?
- What data volumes and types are transported?
- When do most accesses take place?
Based on the data obtained, it is then possible to show which interfaces and applications must continue to be permitted for which purposes, whether they need to be encrypted and what typical user behaviour looks like.
If user behaviour deviates from the norm, data losses can be made transparent and traced more quickly. It is precisely these simple measures that are enormously important in the course of data protection regulations such as the EU GDPR, CCPA, but also ISO2700x.Click below to share this article