According to the Information Commissioner’s Office in the UK, healthcare data breaches accounted for 40% of late 2016 security incidents. This type of information is a special nightmare to deal with. On the one hand, the data is obviously highly sensitive, on the other hand, accessing up-to-date medical data without delay can be a matter of life and death for patients. Black hat hackers are very conscious of these facts; they know medical organizations are very likely to pay any ransom if their patients’ lives are at risk.
Digitization raises security issues
With medical processes generating a huge amount of paperwork, no wonder the healthcare sector is pushing towards digitization. Benefits are manifest: medical information can be transmitted easily from one organization to another, patients can have better access to their medical records. But it raises questions: where and how to store the information properly and securely? Each organization which needs access to the data has different governance, management and rules, and it is hard to implement consistent data security policies and training to educate staff on keeping data safe with all the different requirements. Cédric Cartau, Chief Information Security Officer at Nantes University Hospital notes:
In the next 5 to 10 years, we can expect far more security issues, which will require bigger budgets, more staff and teaching best practices.
And what do you do if you are confident in your security policy but you know that this or that hospital you have to share with is not as sophisticated with regards to digital hygiene? Consistent governance is hard: the mix of private and public organizations in most countries like the UK, France, Germany and the US makes unified protocols and policies difficult.
Today, the situation is chaotic at best with PBS asking if health care hacking has become an epidemic. Healthcare data can leak from everywhere: according to this report from the U.S. Department of Health and Human Services, the health care industry has averaged close to four data breaches per week in 2016. Patients also carry these vulnerabilities with them, in the form of minimally secured smartphone health apps. And this data is worth a lot of money!
Electronic health records are 100 times more valuable than stolen credit cards
said James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington D.C.
Public clouds: no solution
IT teams do not have a substantial budget dedicated to security concerns. And when you are attacked every seven seconds on average like the Beth Israel Deaconess Hospital you have a real problem. Some health care organizations made a surprising move: put their data into the Public Cloud. In terms of security, it is indeed a better alternative than building your own system on a shoestring budget. Microsoft, Google and Dropbox spend millions on security. Their teams patch security issues in no time and their core business is making data accessible whenever and wherever it’s needed.
But Public Clouds are not set up very well for handling healthcare data. First of all, using Public Clouds raises privacy concerns, which is particularly worrying when it comes to dealing with such sensitive data. Second, Public Clouds don’t really solve the security issues! Due to the typical consumer-focused nature of of Public Clouds, IT teams have to rely on third-party tools to ensure that only the right people have access to medical data and to enforce the secure use of those clouds. These tools for example provide Identity as a Service (IaaS) and help manage staff-owned devices and sharing. But this is only moving the problem. Using several tools layered on each other multiplies complexity and increases the opportunities for costly mistakes as well as the surface of attack. Now, a breach on several levels and in a variety of tools can leak data!
Delegating security policy also hampers your ability to adapt to changing situations and requirements:
Can you track (or limit!) the sharing or downloading of specific files if you need to for compliance requirements?
Can you change or adapt the whole process if new laws come into force?
Can you at least migrate part of all of your data out of the Cloud to another place if you need to, or is it too costly?
Vendor lock-in and lack of control, the simple fact that your patients’ medical data is intermingled with the data from countless other users in an unknown location, the chance of being part of massive data leaks like this one from Dropbox last year – the risks of the Public Cloud are countless while promised cost benefits usually fail to materialize.
Private cloud: stay in control
The most powerful and elegant solution to the security-vs-accessibility problem faced by the medical sector is implementing a Private Cloud solution. The existing data storage and access technologies, and more importantly, existing governance processes and tools, can be leveraged by software like Nextcloud, making the data caretakers need available easily and quickly while IT can stay in control. The flexible nature of Nextcloud enables deep integration in existing infrastructure.
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
The serious security flaws in ownCloud (now owned by Kiteworks) do NOT affect Nextcloud. We have strict security processes in place, and do not ship test data from libraries that can cause security breaches.