It’s been six years since the biggest breach of healthcare data occurred and sent shock waves through the industry. Anthem Blue Cross disclosed that nearly 79 million patient records had been stolen in an attack that compromised sensitive data, including names, addresses, birth dates and Social Security numbers. Millions more have been impacted by the top 10 data hijackings from the past decade, according to the U.S. Department of Health and Human Services’ Office for Civil Rights. These healthcare data breaches have grown in volume and frequency as cybercriminals strike with a simple motive: to get access to the most valuable information and hold it for ransom.
Hackers have learned the healthcare sector is prone to security vulnerabilities. One report revealed that healthcare is rated ninth of all industries in terms of security. A 2017 survey found that healthcare data breaches impacted 26 percent of Americans, more than one in four consumers. The survey also revealed that 50 percent of victims were stuck with an average bill of $2,500.
Some healthcare companies have prioritized security due to these challenges. Forward Health, a San Francisco-based preventive primary care startup that combines doctors and advanced medical technology, made security a top concern when it launched in 2016. The startup charges $149 monthly for access to digital healthcare, in-person doctor visits and tools for home use in 13 cities nationwide. Forward Health leverages biometric scans to monitor patients’ vitals and capture a picture of an individual’s health metrics before devising an evidence-based plan.
“We collect lots of information on how you live your life and about the choices you make when you’re not in our doctor’s office,” Robert Sebastian, the company’s co-founder, told PYMNTS. “And if that’s the case, security has to be a priority from the very beginning.”
Engineering Healthcare Data Security
Sebastian said the goal was to build something from the ground up that could sustain doctor and patient confidence when protecting client data. Instead of buying an off-the-shelf safety net, the company hired software engineers from Google and Amazon to develop in-house hardware and software. The firm engineered proprietary technology so it did not have to chance a technology partner suffering a data breach.
“We don’t outsource security,” he said. “Our team is the only one I would trust with the security of our members’ data.”
Sebastian did not provide details about how the company’s security system works so as to keep such information from cybercriminals. But he confirmed that Forward Health has not suffered a security breach in the five years it has been in business. He said its approach to protecting valuable data is similar to encrypting and securing email and insisted that security is not separate from building the smart screens or the body scanners that its doctors use.
“It’s a lot of work,” he said. “But if you’re trying to rebuild healthcare correctly from scratch, you have to take those challenges on.”
Deploying Measures
It is clear that a healthy data protection program does more than comply with Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules in the U.S. and the European Union’s General Data Protection Regulation. Failing to meet these strict data protection requirements can lead to significant fines. HIPAA requires that healthcare companies ensure patient information is secure, accessible and used only by authorized staff for medical care purposes. True data security means committing to stronger defenses than the law’s minimum requirements, and regulations do not mandate that healthcare organizations use specific technologies.
It is up to each hospital and healthcare firm to employ select security measures to achieve their objectives. Solutions deployed can include educating healthcare employees, restricting data access and encrypting data. Other options include securing mobile devices, mitigating connected device risks, conducting regular risk assessments and evaluating business associates’ compliance. Patients’ identities and biometric information are deeply personal aspects of their medical lives, and organizations like Forward Health that leverage advanced defense techniques and set their own security standards may just be able to prevent cybercriminals from causing irreversible harm.