by Tim Reilly

Sharing Health Data Safely and Securely

Recently I had the opportunity to take part in a HIMSS webinar on the topic, “Building Trust Between Public Health and Public Safety,” which included Ben Cushing, director of federal health and science at Red Hat.

The discussion focused on emerging technology innovations that extend security policy and enforcement to ensure privacy and access of data, and how integration can lead to robust data sharing between public health and public safety partners. It also identified the challenges to building these data systems and explored how these programs can be implemented in our communities.

Emerging federal regulations are having a major impact on how data is shared, how we are monitoring it, and what the processes should be when data has been breached. Protecting shared data, including at the network edge, is vitally important not only for regulatory compliance but to ensure the privacy of personal data such as health records.

Clearly, healthcare institutions are under lots of pressure to provide security and privacy of data, and new rules are emerging all the time. Since the passage of HIPAA and the advent of HITECH has made electronic health records and their protection mandatory within the industry, securing PHI has become a major priority for organizations.

In September 2021 the Federal Trade Commission (FTC) issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule, which requires that they notify consumers and others when their health data is breached.

The FTC noted that health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers. These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.

The policy statement notes that apps and connected devices such as wearable fitness tracking devices that collect consumers’ health information are covered by the Health Breach Notification Rule if they can draw data from multiple sources.

Organizations that have experienced a security incident involving patient data need to inform the affected patients within a certain time period, and this can be challenging. Nevertheless, the government is aware that bad actors are going after personnel information, so the onus is on providers and others in the sector to better protect their data.

Healthcare professionals frequently have to share patients’ data with outside organizations in order to provide care, so there is a big risk of exposing that data to bad actors. Organizations are creating, gathering, and sharing staggering amounts of data, and the volume continues to grow.

Cyber security practitioners and technology providers need to start looking at new concepts for how to better protect individuals’ data, while at the same time allowing it to be accessible to multiple care providers.

While containers and Kubernetes are seeing rapid adoption, they are also the latest target of cyberattacks due to new attack vectors. New technology requires new security — and legacy security solutions don’t protect in the new world of containers and Kubernetes.

Another key element for securing PHI is encryption, and solutions that work specifically with Kubernetes are available today. For example, Zettaset’s XCrypt OpenShift Encryption for cloud-native environments is designed to protect data in real-time across any architecture, providing transparent, high-performance data protection.

Organizations shouldn’t spend time deciding what data to encrypt; they should encrypt everything, because that’s the best way to protect information that some may deem sensitive.

The key is to have the ability to do this—encrypt data and use containers for data sharing—without impacting performance and slowing down processes. This is where automation comes in. XCrypt enables the encryption of data stored in Red Hat OpenShift container environments without slowing down processes, by automating the deployment of software-defined encryption that protects container data throughout the OpenShift environment.

With this kind of data protection, even if a breach occurs the data will be safe from exploitation because it’s encrypted. And this is something all healthcare entities need to be providing as they share more and more data with other organizations.

If you’re interested in learning more, check out our recent HIMSS webinar with RedHat or drop us a line here.