The healthcare industry is changing in real-time: according to a recent telemedicine adoption study, only 17% of patients expect to return to in-person-only appointments even after the COVID-19 pandemic has resolved. While many businesses are shifting to long-term work-from-home models, physicians and patients alike are opting for virtual visits when possible. Time saved commuting, increased comfort at home, decreased risk of being introduced to contagions, and the ability for patients in remote locations to have access to world-class healthcare specialists are just some benefits driving the transformation of the healthcare industry.
The COVID-19 pandemic has catalyzed the mainstream adoption of telemedicine, while at the same time, dramatically increasing the attack surface of the already-volatile healthcare data security landscape. To effectively provide virtual appointments, telemedicine data must travel outside legacy security control boundaries. Telemedicine professionals are looking at ways to integrate greater data protection for both patient applications and home device APIs with care provider systems to address the increasing demand. Coupled with a self-protecting data API, telemedicine data can be secure wherever travels and resides.
While this shift is promising more accessible healthcare, it is also introducing inevitable cybersecurity risks on an unprecedented scale. Data security in the healthcare industry has always been a concern as patients are trusting their most personal health information with medical offices and practitioners. The Ponemon Institute’s 2020 Report stated the average cost of a data breach in the healthcare industry is $7.13M – the highest cost of any industry, and an increase of 10% compared to the 2019 report. Even just to identify and contain a breach, the healthcare industry reported the longest amount of time at 329 days (compared to the global average of 280 days). According to the Q2 2020 Healthcare Heartbeat produced by the Health Information Sharing and Analysis Center, there is a marked increase in healthcare workers leveraging open and insecure wireless networks and unintentionally expanding the healthcare providers attack surface and vulnerability. With a disparate workforce and larger attack surface introduced by telemedicine, these 4 numbers are only going to increase. A single medical record can sell for over $250 on the dark web, one of the highest valued records for cybertheft. With less oversight in home offices as telemedicine becomes the norm, it is becoming an increasingly attractive target for cyber criminals.
In 2019, just prior to the pandemic, 38% of US healthcare CEOs reported having no digital component in their overall strategic plans. Meanwhile, 94% of respondents cited data protection and privacy regulations, such as HIPAA and HITECH, as factors limiting implementation of their digital strategy . Now, one year and one pandemic later, healthcare organizations are rapidly attempting to integrate this must-have virtual offering into their strategies. In addition, to address the increasing threat, the National Cybersecurity Center of Excellence (NCCoE) and National Institute of Standards and Technology (NIST) are establishing the Securing Telehealth Remote Patient Monitoring Ecosystem project designed to comprehensively map out the attack surface to vulnerable telemedicine services. Organizations know that patient trust and compliance with these regulations will be paramount to the successful implementation of the telemedicine model. In the Telemedicine Adoption study, 42% of patients cited a secure platform with the protection of their private data as a factor when deciding to make a telemedicine appointment. Healthcare organizations are tasked with the challenge of providing these virtual services, while remaining complaint with regulations and providing confidence to patients that their data is secured.
Outdated solutions like DLP (Data Loss Prevention) technology are not feasible in today’s landscape where patient data needs to be shared in select circumstances, yet securely locked in all others. While DLP attempts to prevent sensitive data from leaving the network with the aim of preventing a data breach, it hampers healthcare professionals’ ability to effectively diagnose and treat patients with full access to patient records and information. Likewise, basic encryption and rights management are limited in the usability of the data by authorized users and across various platforms. Sharing data with fellow medical professionals and patients around the world needs to be simultaneously ultra-simple and ultra-secure – and that has been difficult to balance, especially with telemedicine where home networks are vulnerable and often less protected.
There is a solution
Keyavi provides the world’s first API technology that enables data to become self-protecting, intelligent, and self-aware. By securing the data itself – at its most fundamental level of data itelf – medical professionals can remain in constant control of health records, authorizing who can access the records, from where, when, during what timeframes and on which devices. And all these controls can be modified even after the data is shared and out of the owner’s possession.
Keyavi’s technology is composed of multiple independent encryption layers, designed such that a single layer cannot be compromised without triggering protection mechanisms in the surrounding layers. This multi-layer approach includes policies which are embedded directly into the data itself – fundamentally changing it – allowing the data to become self-aware and self-protecting. Whether in the clinic or a home office, medical professionals can protect records of any format, allowing them to only be accessible by the patient or other healthcare professionals, in certain locations, during a certain time period, as needed.
Consider a doctor sending a prescription to a pharmacy. Patients are trusting that their sensitive health information will be protected not only with the doctor, but also that the pharmacy is adequately securing their records for as long as they exist. With Keyavi technology, the doctor can impose an expiry date on the pharmacy’s access to the data or simply revoke access when it is no longer needed.
The Keyavi technology also includes modules for regulations, including HIPAA, to obfuscate protected information when records are sent to recipients who may need access to the rest of the file, but should not be privy to the sensitive health data. This feature allows for easy collaboration, while remaining compliant with essential regulations.
The healthcare sector will continue to be the target of malicious attacks and data breaches, but with Keyavi’s protection, health records falling into the wrong hands will be worthless to the attacker. The data will be aware of the unauthorized access attempt and protect itself, while reporting back to the data owner, providing visibility and forensics as to who was attempting access, when, and where in the world they are located.
As this shift to telemedicine continues, medical professionals working from home networks cannot reasonably be expected to be IT security experts as well. By empowering them with an intuitive tool to instill persistent protection on regulated data, these healthcare workers can properly focus on the health and safety of their patients.