New Healthcare IT Landscape and Related Security Needs
In 2005, the European Commission embarked on a new policy framework that embraced all aspects of the “information society.” This framework, called i2010 - A European information society for growth and employment, provides the broad policy guidelines for the information, communication, and audiovisual sectors in the years up to 2010.
One of the priorities of the EU's i2010 program is to focus on E-Health to boost innovation and jobs. The aim is to provide user-friendly and interoperable information systems for patients and health professionals across Europe. E-Health provides many benefits, such as making it easier for doctors to access patients’ medical records, gain immediate access to test results from the laboratory, and deliver prescriptions directly to pharmacists.
The electronic health record (EHR) is a fundamental element of e-Health systems. EHR is digitally stored healthcare information containing an individual's lifetime of records, with the purpose of supporting continuity of care, education, and research.
Since the amount of data has been growing at an incredible rate, organizations should look for the right trade-off between innovation needs and security issues. In fact, there are two factors in contrast: the healthcare information digitization and the medical infrastructure interoperability are fundamental, and it is impossible to ignore security issues.
E-Health evolution requires the following:
• An increase in the availability of electronic services (e.g., Web-based services).
• The endeavor for a better quality of service (QoS).
• The enhancement of efficiency in managing large amounts of data.
But, at the same time, it’s necessary to consider the following aspects:
• Moving healthcare data from paper-based to electronic media, significantly increasing the information security scope.
• Increased needs of data availability.
• New and additional information on security threats.
• Compliance for regulatory requirements and best practices of vertical industry.
Nowadays there are many different kinds of threats that can hit healthcare information; perhaps the forefront of the main issues is the risk of losing patients’ data. According to the 2009 Data Breach Stats report published by the Identity Theft Resource Center, the data loss phenomenon for the medical sector has evolved during the last two years. On one hand, the absolute number of breaches fell (about 29%), but on the other hand the number of compromised records increased considerably (about 55%). The figure below summarizes the statistics data of the last two years:
The main vectors of data loss are:
• Lost or stolen laptops, computers, or other computer storage devices
• Backup tapes lost
• Hackers breaking into systems
• Employees stealing information or allowing access to information
• Poor business practices
• Internal security failures
• Viruses and Trojans
Information security companies propose different solutions to minimize the risk due to data loss, but the emerging method is data loss prevention (DLP). DLP, or information leak prevention, means the combination of tools and processes for identifying, monitoring, and protecting sensitive data or information according to an organization’s policies or government/industry regulations. So, DLP strategy should be based on a combination of people, processes, and technology.
Security companies have understood that, in order to properly manage a DLP project, it is necessary to use a structured approach with the development of a complete DLP Program, as is outlined in the below diagram:
The diagram shows the suggested components of a comprehensive DLP program. I’ll defer the granular details of these components to a future blog posting, but for now let’s focus our attention on the main concepts that underpin a DLP Program. Most DLP solutions solely rely on technology. Although technology is an important aspect, the program should consider processes and people as well, in order to be really efficient. Basically, the key success factors to consider are:
• Review security policies and processes in order to formalize the practices in place to manage the entire information lifecycle (inventory, classification, safeguards, etc.).
• Employee training and awareness to educate users on confidential information handling, as well as directly involving them in the data loss risk-reduction process.
• Commitment of stakeholders to respond proactively and in a timely manner to any security breaches, assuring compliance with internal policies, standards, and regulations.
Looking ahead to the future, the EU is defining the new strategies for information society, among which is the growth of the e-Health program using online consultation and public hearings. More information on the program is available at http://ec.europa.eu/information_society/eeurope/i2010/pc_post-i2010/index_en.htm.