While hospitals and health care systems have been one of the most popular targets of hackers and cybercriminals in recent years, that picture is starting to improve at many organizations.
Hospitals are generally getting better at protecting data. Many are updating their health information technology infrastructure and implementing stronger data security measures. These include encryption of all healthcare data stored, two-factor login authentication, and workforce security training programs.
But that road to recovery still eludes some health care systems.
To get a better idea of how data is being protected in the health care system, VentureBeat spoke to Victor Low, senior director of IT at Q-Centrix, a company specializing in health care data management.
Common challenges impacting health care data infrastructure
Unfortunately, many hospitals and health care centers suffer from symptoms of inadequate data infrastructure, staffing or strategy, Low said. “These obstacles impede the flow of data sharing, causing it to become much more complex and complicated. As a result, most health care systems choose to lock down the data for protection, while overlooking the need for data integration and sharing,” he explained.
There are five common challenges that hospitals and healthcare systems face while managing their data and data infrastructure, Low said. They are:
The lack of skilled resources and role-based training
“This includes staff who are properly trained in clinical data collection and management technology. Without these resources, data can be more susceptible to attack and subsequent misuse,” Low said. “Hospital and health care systems can make greater investments into these areas to address these issues.”
Dated technology, security, and documentation
“No MFA (multifactor authentication), SSO (single sign on), no encryption. Without advanced and modern security protections, data is more likely to be compromised in an attack,” Low said.
Complex (and confusing) technology
Low pointed out that health care systems are especially prone to silos and orphan systems. “Health care systems have gone through multiple mergers and consolidation over the past few years. During the course of integration, each health care system brings on their existing processes, technologies and personnel,” he explained.
“It takes huge effort and resources to transition from one system to another and, in the interim, existing systems are kept in place as a stopgap. Oftentimes, these stopgaps stay on due to deprioritization or dependencies and, over time, it builds on top of each other and becomes overlooked.”
Multiple oversight and regulatory environment/partners involved
“Health systems have their own internal security team and outsource some of the security assessment and/or security work to third parties for best practice. However, these can sometimes result in miscommunication, an overlap of responsibilities and long turnaround,” Low notes. A solution, he said, is “the forming of a single security and compliance committee, composed of key stakeholders from different areas who get together frequently to create a framework and roadmap. This would help uncover underlying risks and inefficiencies in security and compliance and provide a guiding star to existing and new processes and technologies.”
It’s going to take more than just a shot to cure health care’s data security woes
Fixing the data security infrastructure for health care is going to take a long-term investment in people and technology. “Summing from the above points, any technology improvement/implementation would take multiple-fold of effort, time and resources for health care systems to remediate, on top of being a low-margin business,” Low said. He said to streamline the process, “creating a roadmap and framework for technology implementation and lifecycle” would be a good start.
Another good practice to enforce across a health care organization is tracking and monitoring all vendors, holding them to the same standards and process companywide. Low explained this would have a threefold effect, in that it would “significantly cut down the vetting and assessment process for the security and technology team, [take] the guessing work out of the process for different vendors and [reduce] overhead.”
Victor Low is the senior director of IT at Q-Centrix
Published in VentureBeat. Read the article here.