Prevention is better, and cheaper
August 2017, This Week's Editor's Pick, Cyber Security, Integrated Solutions, Healthcare (Industry)
The healthcare industry in South Africa comes under no shortage of criticism for many, if not most of its practices and capabilities. All the while, the organisations and people involved move along and try to provide a service to the millions who entrust their lives to these organisations and their staff.
One area of healthcare that is under intense scrutiny internationally is that of data. What happens to patient data, which is potentially one of the most personal and sensitive types of information around? And it’s not only the protection of this data that is under the microscope, the security of healthcare technology, privacy, workflows and processes is also being questioned, especially after the recent global ransomware attacks.
These attacks saw many European healthcare operators being forced to turn people away because their computerised systems were locked down. Depending on where you go for care in South Africa, an attack like this may not impact the operations of health services all that much right now, but the digitisation of healthcare is a reality that all providers need to be aware of, just as they need to be aware of the security implications and demands of digitisation.
But it’s not only computers and IT equipment that are at risk and causing risk. Recent cyber attacks which used physical security equipment (cameras and recorders) as a network of bots to launch an attack is another example of vulnerabilities most healthcare organisations aren’t even aware of.
Accurate and broad statistics are not readily available for the state of healthcare information and services in South Africa, but internationally these organisations are frantically trying to address these issues. The drivers are privacy, operational efficiency and legislation.
The 2017 Level 3 Healthcare Security Study conducted by HIMSS, for example, demonstrated that a lack of employee awareness of the security risks involved in various digital endeavours was one of the greatest security risks. From a physical security perspective, this is often also the case as vulnerabilities are often the result of staff actions – leaving doors or cabinets unlocked and so forth.
Even in South Africa, where the digitisation of healthcare either matches first-world standards in the case of some private hospitals, or is far behind, the digital risk is immense.
Far reaching consequences
When considering the state of local digital healthcare, Jorina van Rensburg, MD at Condyn believes the issue of data breaches and theft is an enormous risk as it can have far reaching consequences. “Not only do you get all the details of the medical history of the patient, but also the bank details, address, etc.”
In the case of medical history leaks, she says there is also the possibility of creating a stigma that may lead to discrimination (when applying for a job, for example). It may be illegal to discriminate, but van Rensburg says there is a possibility the person making decisions may unconsciously make up their mind whether to give a person a chance or not based on their medical condition.
John Mc Loughlin.
John Mc Loughlin, MD of J2 Software, echoes this sentiment with an example of someone with HIV. “A person living with HIV and receiving regular treatment may be in good health, but a third party may leak their data and in doing so can cause the individual to possibly lose their job (it is illegal, but employers may not state the medical condition as their reason for dismissal). It has been reported that individuals can also face degrees of persecution and career damage due to the prejudices of others.”
He also notes that medical information often contains details of medical aid information which may also include identity numbers, addresses and bank details – all of which could lead to identity theft. “Medical institutions cannot stand back and pretend this is not a major threat.”
“Then there is the case of identity theft as the patient is required to complete forms with all personal information at medical provider,” adds Van Rensburg. “An identity thief can use your records to obtain information to use the benefits of your medical aid, not to mention the extra medical bills that can run against your name.”
As with most electronic crimes, once the information is gone, it can’t be recovered and you can’t stop criminals trying to use it.
CA Southern Africa’s security solution strategist, Sagan Pillay, explains that the magnitude of the loss of data records is enormous and the impact on patients and practitioners can lead to fatalities or malpractice issues. And while information may be scarce in South Africa, he says that in the USA, 81% of organisations allow employees to use their own personal devices to access patient medical data, devices that are not necessarily controlled or secure. Moreover, 94% of healthcare organisations have had at least one data breach in the past two years with 45% report having more than five incidents.
In other words, the healthcare market is a prime target for criminals as it has not been well protected in the past (and in many cases still isn’t), contains valuable information that is in demand on the black market, and opens the door to many types of crime.
And Pillay notes that it’s not always about hacking or malware, insider negligence, misuse or malfeasance continues to be the primary cause of data breaches worldwide. Effective security must take this into account as well.
What precautions are necessary?
When considering what needs to be secured and how to do it, Pillay concedes that healthcare organisations are faced with a range of challenges. “These are made more difficult by the increased mobility of their user population, as well as the continued adoption of cloud applications.
“While these trends present opportunities, they also greatly increase the difficulty of ensuring security across key applications and data. Protection against cyber attacks, which are as random as they are malicious, and on the increase, is crucial regardless of what sector an organisation is operating in. No one is exempt, and as such all companies need to take significant measures to protect against these kinds of attacks. This means using every means available to protect their data, including perimeter defence, data protection, email filtering and more.”
In the local context, he adds that medical institutions, be they medical aid organisations or hospitals etc. are not immune to the requirements of the PoPI Act. “Today’s compliance requirements have very specific demands for security controls in order to protect personal data from disclosure. Compliance with these requirements may have become more complex, but no less mandatory. Furthermore, the cybersecurity bill will also need to be adhered to when it comes to sharing and requesting records from foreign countries, the compliance standards will need to be met by both parties for lawful interaction.”
Mc Loughlin adds, “It is important for all organisations to understand where the data is, how it is accessed and ensure it is protected from leakage and damage.
“We have an urgent need for practices and hospitals to clearly understand how they are keeping their patients’ data and their systems safe. The drive must always be to get visibility. We cannot manage what we cannot see. How do they know the data is safe if they don’t even know where it is? Basic solutions are simple to introduce into the most rudimentary environments and will ensure protection.”
Since we live in a digital world where email and Internet access is virtually guaranteed, we also need to make sure that the people using these pieces of technology are aware of the dangers so that they do not succumb to basic phishing or click bait attacks.
In addition to direct protection from attacks, planning to recover from the worst is as crucial to successful data security. Van Rensburg believes that all hospitals and medical providers should ensure that they have a backup plan in place and offers the following:
1. Ensure that all perimeter security is in place and up to date on patches etc.
2. Encryption: it is important to ensure that all records are encrypted and that the encryption is implemented according to the prescribed standard.
3. Ensure that email sent between the medical providers is encrypted.
4. Ensure that the anti-virus program used is up to date and managed.
5. Ensure that a backup solution is in place and that new backups are made daily or in real time and that it does not overwrite old backups – keep backups in a secure place.
6. Invest in a system that will report the latest update status of all backups daily.
7. Make sure that the backup systems are tested to ensure data is available and can be restored.
8. Ensure that all medical data is stored on a database that is encrypted and that user access is managed with two-factor authentication, such as PIN, token etc.
9. Change control is extremely important when making changes to any system, including documenting the change. Part of the planning should include a risk assessment on the planned change and what areas of the system will be affected.
10. When finished working on the system, ensure that the system is logged off or have the ability to lock automatically when the operator steps away from the machine.
11. Ensure that all logs of changes and transactions are recorded daily by a management and reporting system.
12. Strict access control for users and usage policies etc. must be implemented and enforced. User training is extremely important.
13. Vulnerability assessment must be conducted, including social engineering assessments to ensure that both people and technology are secure.
14. Disaster recovery should be tested regularly as per company policy, but not less than once/twice a year.
Advice is easy and cheap, but implementation is not always a straight forward process. The requirement is therefore for skilled people to assist in managing digital healthcare systems in order to ensure the streamlined functioning of these organisations. While the technical bits are naturally complex, the user interface must be as easy to use as possible, while remaining secure.
Much the same can be said for the pharmaceutical and logistics operations that warehouse and deliver medicines to organisations and people. Pillay suggests treating these items like gold. This means securing the processes and technologies used to request medicine, whether it’s in a hospital or pharmacy, or a bulk delivery from a warehouse. “This alone would see a significant cost-savings for government institutions by reducing fraudulent stock requests and ensuring a higher level of privacy to the details of legitimate orders.”
Moreover, the logistics involved in accessing these drugs requires stringent physical security in terms of access control, using reliable and secure systems such as fingerprint biometrics and others.
As noted above, there are many critical issues in African healthcare that need to be addressed in all sectors, from government to private organisations. The only certainty is that the problem of data security will only increase and lead to more, and more severe consequences if it is neglected. Not only will the consequences be felt in terms of a range of fraudulent activity impacting both healthcare organisations and people, but also the associated organisations and industries, as well as the effective functioning of the healthcare system.
And this applies to both the threats from malware and hackers, as well as the risks posed by insiders, both through negligence and malice. “Today’s healthcare organisations must defend against significant threats to their infrastructure and data from both within and outside the network perimeter,” explains Pillay. “Insiders, and especially administrators, pose a significant risk due to the damage they can cause through malicious or inadvertent actions. In addition, external attacks are increasing in sophistication and frequency.
“Most healthcare organisations have many employees and partners that need to get access to apps and data spread around the distributed IT environment. These users are often geographically distributed, and almost always want to use their own devices for this access. Partnering with a security solutions provider capable of offering globally proven solutions that enable employees and partners to securely and more easily collaborate and share medical and patient information will assist with security, but also with more effective treatment.”
Of course, it is easy to speak about the need for change, but many companies will have no idea where to start because data security has not been top of mind and probably still isn’t. Van Rensburg suggests three pillars on top of which organisations can start building their information security processes.
Ownership: Ownership and taking responsibility among all the role players to ensure that medical data is secured. There is currently finger pointing between the service providers as to who is responsible for each and every aspect of the infrastructure – such as who is responsible for encrypting a line over which data is sent.
Co-operation: It is critical for the role players to start co-operating with each other to secure the whole medical industry, and this includes logistics as this is where much of the fraudulent transactions take place as suppliers do not co-operate with each other – and that makes all of us vulnerable.
Investment: Public and private partnerships. We need to be part of a discussion on the solution, working together and not disjointed as is currently the case. All of us are working towards the same goal, but silos leave loads of space for fraud, extortion etc. More laws will not solve the problem. The problem will be solved through communication and co-operation.
For more information contact:
• CA Southern Africa: www.ca.com/za.
• Condyn: www.condyn.net.
• J2 Software: www.j2.co.za.
Jorina van Rensburg, MD at Condyn presents seven fraud scenarios that lax data security enables.
1. Patients’ claim for prescriptions, but although the claim is processed, the product delivered is not what the prescription described. Medicine is replaced with commodities like nappies or the medicine issued to the patient is not the medicine prescribed by the doctor.
2. Contracted medical providers, for example, book times of service at three different places at the same time and claim for all three ‘services delivered’ as no controls are in place to prevent this type of extortion.
3. Medical records in paper format are open and left at reception areas or administration offices where little or no security is implemented. It is very easy to walk into any hospital, whether private or public, and grab a record from the table.
4. Electronic medical records are not stored in a secure database and access control to the record is often neglected.
5. Standalone and legacy systems are most often placed on the back burner and result in risks and vulnerabilities malware, ransomware and wiper-malware.
6. Secrecy and lack of co-operation: the role players seem to work independently of each other. This creates a huge opportunity for fraud in general.
7. Between countries: Africa is becoming a dumping yard for the rest of the world’s medical supplies and medicine.
8. And the list goes on ….
For more information: www.condyn.net.
By Greg Sarrail, vice president business development and sales, EMEA, HID Global Biometrics
The value of fingerprint authentication is increasingly gaining popularity in healthcare applications because it can provide assurance of ‘who’ is actually accessing medical records or prescribing medications. Biometric authentication allows clinicians to access records with the touch of a finger. There is nothing to remember and nothing to lose and nothing to learn. There are no barriers such as language, literacy, gender or age, and fingerprint scanning is unquestionably much simpler and easier to understand and use.
Today, fingerprint authentication is already being used in ePrescribing. Physicians are able to prescribe medications electronically via a computer in a clinic or on a mobile device in rural areas. Where complete healthcare records otherwise might not be available, access to electronic medical records via a fingerprint biometric system helps prevent harmful drug interactions and incorrect dosing of patients. Access and distribution of drugs can be properly tracked to avoid abuse and fraud.
Further, fingerprint biometrics can be used in order to ensure efficient management of medical supplies and medications. Controlling access to medical cabinets is crucial for patient safety, compliance with regulations regarding controlled substances, and inventory control.
For more information: www.hidglobal.com.