The critical care of data in healthcare

iStorage CEO, John Michael, considers the importance of digital hygiene in healthcare and explains how hardware encryption helps health organisations add security to their processes, protects patients, and keeps sensitive records safe from cyber criminals

High-impact data breaches

Data breaches are a global issue, and as worldwide healthcare providers have transitioned to EHR-based record keeping, controlling access to such sensitive data has proven to be difficult. In the UK, eight in ten providers of frontline healthcare services suffered at least one data breach between 2021 and 2023 . French healthcare software provider Dedalus Biologie was fined €1.5 million for a 2021 breach which saw the names, social security numbers, and sensitive medical information of nearly 500,000 people released onto the internet . And in the US, reported breaches affecting major healthcare organisations totalled around 295 in the first half of 2023 . 87 million US patients have had their information breached in 2023, with 43 million in the third quarter alone5.

The safety of healthcare data is, clearly, a worldwide issue, and the methodology of cyber criminals can be extremely disruptive. The EU Agency for Cybersecurity reports that ransomware accounts for 54% of cybersecurity threats in the health sector , and not only does a ransomware attack risk the loss or distribution of improperly secured or backed up data, but it also causes serious disruption to medical systems. Being unable to restore an affected system quickly and easily may cost lives, a position health organisations should never have to face.

Reliance on outdated technology

In many cases, technological threats and issues mean providers have been forced to reach for outdated technology in a bid to safeguard secure communication channels. Many US health organisations, for example, have found the transition to a modern EHR platform difficult. Incompatibilities – and, in some cases, vendors actively blocking communication – between competing EHR platforms hampers interoperability to the point where most US healthcare providers have struggled to remove their reliance on electronic and paper fax for secure communication7.

The UK, despite attempts to ensure NHS interoperability by 2020, still struggles with siloed systems and fragmented technology which prevents seamless communication between departments and restricts adherence to digital and data standards . Primary Care Support England continues to distribute paper-based Lloyd George medical records, physically couriering them between locations as the scanning and digitisation of UK medical records remains incomplete9.

While a certain amount of teething trouble is to be expected over the course of any digital transformation effort, a difficult or frustrating system may cause pressurised individuals to transmit data without following proper protocols. Besides, many legacy or portable systems do not yet have the capability to be connected to a modern network, let alone the technology to communicate in a truly secure manner. Temptation or necessity may lead to insecure data storage and transfer – an extremely poor practice in such a sensitive environment.

Changing practices to protect data

Digital hygiene must be treated as importantly as physical hygiene within healthcare. It is vital that all professionals in the health space are made aware of their responsibility to protect data. This goes far beyond those developing EHR platforms or other back-end technologies; digital hygiene must be practiced up and down the chain.

Anyone with access to sensitive records must learn the inherent vulnerabilities of transfer methods like email or devices like laptops and be clear on the potential consequences of their use, misuse, or loss. Many everyday practices within healthcare organisations can introduce security vulnerabilities, too. Pulling results from a non-networked mobile ECG or sonograph, for example, is often done using a basic USB flash drive. If such a drive is lost or stolen, control of that data is lost with it – and the sanctity of a patient’s personal information becomes vulnerable. It is incumbent on any individual that may need to transfer anything from place to place that they do so in the most secure way possible.

The power of hardware encryption

Introducing hardware encryption prevents such data from reaching the wrong hands. Utilising storage media which can encrypt files securely and automatically keeps sensitive data safe, ensuring it can only be seen by those authorised to unlock it. Employing encrypted storage further up the chain, using it alongside other standard methods to locally back up patient records, safeguards against system loss in the case of ransomware or other disruptive hacking techniques. Data stored on an encrypted external drive is, if that drive is then disconnected, protected against network intrusion and even against physical attack – and since hardware encrypted drives appear as a standard USB device when unlocked, they are fully compatible with all medical equipment with a USB port as no software is required.

The high black-market value of health data means the industry will likely never be free from the attention of cyber criminals. Healthcare providers must do everything they can to build a resilient shield to defend themselves, their equipment, and most importantly their patients against any form of digital incursion. A two-pronged strategy which combines regular backups with hardware encryption should be an essential component of any digital hygiene plan – with the right equipment it is easy to introduce, easy to administer, and inherently secure.

John Michael, CEO, iStorage