Securing Data Using the “Duty of Care” Standard

By Arshad Noor, CTO & Brain Trust, StrongKey
Twitter: @StrongKeyInc
Twitter: @cryptoengine

The healthcare industry has a huge responsibility when it comes to information security and protecting sensitive PHI while abiding by its “duty of care” principles. However, the industry continues to suffer large data breaches despite multiple federal regulations that mandate the security and privacy of sensitive healthcare data.

It’s not a lack of cybersecurity guidelines that has led to ongoing data security and privacy incidents. With the age of digital transformation in the healthcare field, better patient care backed by streamlined data and operations is available. While these technologies improve patient outcomes and lower costs, they also come with compliance and security risks.

A breach has the potential to not only affect patient care and the trustworthiness of the healthcare organization but can go so far as to endanger the patient’s life if the integrity of data produced by medical equipment or records cannot be trusted. Because patient data is the most valuable commodity on the dark web, it is in the greatest danger of attack. Healthcare providers, therefore, have a “duty of care” responsibility to protect patient data.

One would think that a healthcare provider using encryption to protect their patients’ data in the cloud might satisfy the “duty of care” principle. But the cloud service provider that has control over encryption keys can decrypt those encrypted documents at any time.

In addition, using passwords to authenticate patients and healthcare professionals to web applications is the oldest and weakest authentication technology that exists. Stronger methods are available – sometimes at little or no cost to the healthcare provider who owns the application.

Healthcare organizations wrongly assume that network security tools are enough to keep their data safe. Spending more money on IT network security – firewalls, anti-virus, malware detection, intrusion prevention, etc. – is a waste of money; the focus should be on protecting sensitive data within the application.

Healthcare organizations will best serve their patients and their data by taking these necessary security precautions:

  • Get rid of passwords and/or any other form of shared-secret method being used to authenticate humans to applications. Adopt the FIDO Alliance’s WebAuthn as the authentication standard and do not delegate the authentication to a third-party Identity Provider. New privacy laws such as the General Data Protection Regulation and California Consumer Privacy Act create new liabilities for healthcare providers if the Business Associate Agreement (BAA) does not protect the healthcare provider.
  • Provide strong protection for data by encrypting it at the source where information is captured – at the application level. This is the surest long-term method for protecting sensitive data because the application layer is the highest layer in the technology stack. This makes it the most logical place to protect data, since it offers the attacker the smallest target. In addition, once data leaves the application layer, it is protected no matter where it goes – and it must return there to be decrypted.
  • Retain the trustworthiness of data stored within electronic health records and databases.

These days, “duty of care” includes doing everything possible to ensure the security and privacy of patient data. Because this data is coveted by attackers, sub-standard practices like using passwords for authentication simply won’t do. Use the precautions above to build stronger security into your organization so that it meets the duty of care standard for data and the patients it represents.