What’s the most effective way to protect sensitive Healthcare data – technology, processes or people?December 3rd, 2013 by Michael Shuff
What’s the most effective way to protect sensitive Healthcare data – technology, processes or people?
Trick question? Could be. The answer is of course “all three”. Take the case of Pervasive Health, who have recently achieved certification to ISO27001 – read our case study here:
Protecting confidential patient data in the healthcare sector is of vital importance: Pervasive Health’s ISO27001 certification is a landmark achievement in the sector, showing the importance of combining the best IT security with an ISO standards-based approach to information security.
Handling sensitive health data requires the implementation of rigorous technology, standards and processes. For Pervasive Health, it’s business as usual, as they empower health enterprises and professionals to discover health insight every day. The USA-headquartered company chose IT Governance to help them gain ISO27001 accredited certification for the organisation’s US and European operations – making their platform the first in the field to achieve this.
But why is applying the ‘rigor’ of ISO27001 important in this emerging sector (Healthcare insights)? Evidence of what happens as a result of far less responsible behaviour on the part of software developers needs to be understood:
HIT – or miss? Today’s Healthcare technology can prove to be vulnerable!
The healthcare industry is rapidly adopting health information technology (HIT). Sometimes so rapidly security measures are lagging behind, leaving healthcare entities open to dangerous data breaches.
For example, in the first three years of the U.S.Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, about 260 data breaches affected more than 10 million patients, according to the U.S. Department of Health and Human Services. The costs of a healthcare breach for both businesses and affected patients are staggering. The statistics speak for themselves:
• HITECH carries violation fines of up to $1.5 million
• Data breaches cost the healthcare industry $6 billion per year1
• The total economic impact of medical identity theft is $30.9 billion annually, up from $28.6 billion in 20102
• Healthcare firms spend about $1 million per year, per firm, on data breaches.
And of course, the healthcare industry is a particularly attractive data breach target. Healthcare records have it all: names, Social Security numbers, birth dates, payment information, insurance identification numbers, protected health information (PHI) and more. Healthcare entities manage large amounts of both PHI and personally identifying information (PII). So it’s little wonder why data breach prevention is the leading concern among healthcare IT decision makers. So what actions are they taking to improve information security?
What attracted Pervasive Health to ISO27001?
Pervasive Health already had strong internal processes to protect data; however, in the words of Information Security Manager, Rinaldo Tempo: “ISO27001 helped us to consider all the risks that we faced with the benefit of the rigor of what is, we believe, the most demanding security standard.”
The scope of Pervasive Health’s ISO27001 certification applies to their organisation in Europe (they have a base in the UK), but also to their facilities in the USA, where they have developed a new powerful and secure self-service platform. Apervita empowers health enterprises and professionals to unleash data and evidence-based research, transforming them into a shared computable insight. Medical practitioners register for Apervita, upload their data, author their insights, and start using them straight away. The advantages to both medical practitioners and patients are obvious: Apervita brings together a community of enterprises, professionals, data owners and insight authors to improve health, together.
Bringing together fragmented data sources, giving health professionals a unified view of all data, has enormous advantages. Authors can build, test, and publish their knowledge as computable insight. Insights are authored in hours, not years. And, thanks to a rigorous approach to information security issues, they can then be securely shared with anyone, anywhere, or kept for private use. Data owners can quickly publish their datasets with the confidence that the data is protected by the technology itself, by the processes that the organisations has put in place, and by people who care because they are trained to properly protect the data held in their system.
Apertiva breaks down ‘Healthcare silos’ – without compromising security
Healthcare today is facing the triple challenges of excelling in quality, within an environment of expanding regulatory requirements, while minimising costs. The key to achieving these aims is capturing the value of information locked into health data silos. The average health enterprise can have more than 30 silos which frequently need to be shared. Apertiva addresses all these needs, by unifying health data silos, converting them into portable health insights, and allowing health enterprises, health professionals, health payers, and pharmaceutical companies to share them.
Aaron Symanski, Pervasive Health’s COO said: “Our team has extensive experience across sectors where information security is a paramount concern, including healthcare, telecommunications, and finance. We deeply understand the concept of data walls, security entitlements, and the granular security measures that health enterprises require to be implemented and maintained as part of an Information Security Management System. Developing and managing software that handles sensitive data with excellence is the nature of how our team operates. ISO27001 enabled us to formalise and continue to improve our processes.”
Pervasive Health started their ISO27001 journey helped by IT Governance
Pervasive Health contacted IT Governance to provide the consultancy support to create an ISO27001 compliant ISMS. This required the identification of any interfaces and dependencies with functions or services falling outside the scope, and consideration as to how these might be addressed. The exact scope of the project and the objectives for information security which led to the information security policy was determined by Pervasive Health’s senior team with support from IT Governance consultants. This included helping to develop the risk assessment framework required and recommendations for risk acceptance criteria.
IT Governance ‘Mentor & Coach’ transferred knowledge of ISO27001 fast
The work under this phase of support also assisted Pervasive Health’s Information Security Manager in developing the profile of the project team and an outline project plan. IT Governance provided ‘Mentor and Coach’ consultancy support. In order to comply with the ISO27001 standard and the Health and Social Care Information Centre (HSCIC) IG Toolkit requirements (formerly the NHS Connecting for Health CTP requirements), an asset based information security risk assessment was conducted. This was achieved through carrying out interviews with asset owners to produce an asset register and then assessing potential risks to the assets.
Once the risks were identified and decisions made on how to manage them, a full Risk Treatment Plan was produced, which in turn led to the development of a Statement of Applicability to comply with the standard.
IT Governance assisted Pervasive Health in creating ISO27001 documentation in conjunction with the team, who committed resources to introduce the security controls while IT Governance developed the associated documentation identified as necessary.
Rinaldo commented, “IT Governance kept us on the road all the way – right up to the arrival of the external auditor. The training that they provided was very useful, as were the document templates. Having a different set of eyes at every stage was one of the reasons that we felt confident throughout, and the result of the final audit justified this.”
ISO27001 is the international standard that applies to whole organisations, which is why it often seems like a daunting challenge to the C-suite and senior managers in all sectors. However, as Pervasive Health have shown, leadership in this field pays handsome dividends. See the company’s News page for the growing evidence of how ISO27001 helps to build confidence among your partners and clients: http://www.pervasive-health.com/
To read the Pervasive Health case study, follow this link: http://www.itgovernance.co.uk/pervasive-health-case-study.aspx - it’s free for you to download. Let us know what you think. Is this the type of project that you would like to pursue?
If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ICMS), talk to our consultants by calling: 0845 070 1750.
We also have pages of relevant information on our ISO27001 Consultancy Services. Hiring our consultants will often save you money in the long run and get the job that you want done faster!
Bookmark this page as well!