In many countries the adoption of electronic health record (EHR) systems and digitization processes in the healthcare industry, has been slowed down by security and privacy challenges. Security breaches continue to remind us how crucial it is to secure healthcare data.

Security risks are a fact of the digital economy. And it’s not just about cybersecurity. In today’s world, cyberwar is a real risk too. Furthermore, the breaches and attacks also target high-profile organizations, often increasing the fear to move forward with cloud computing and, in the context of this post, digital health data and processes.

After all, Apple’s iCloud and the US insurance site, to name just two recent victims of breaches, are two platforms that do get global coverage when they get hacked.

Healthcare data security risks in times of consumerization and digitization

Christopher Sherman on Twitter
Christopher Sherman on Twitter

With the consumerization of IT, people use their personal devices to get access to sensitive data or simply store it all. And now and then, they lose them as well. With healthcare records it’s even worse. In a post, titled “It’s Time For Healthcare CISOs To Close The Faucet Of Data Loss“, Forrester’s Christoper Sherman, states that health records are five times as likely to be lost due to device theft/less. And, according to Forrester data he mentions in the same post, about a third of healthcare employees work outside of the office or clinic at least once a week.

Just as security risks are a fact of the digital age, so is the consumerization of IT and increasing demand for mobile and mobility. It is not going to go away anytime soon, well on the contrary. And the digitization of healthcare information processes nor EHR won’t go away anytime soon neither. The benefits are just too important. Furthermore, given the challenges in global healthcare (increasing costs, among others because of an aging population) and the fact people just want better healthcare and patient experiences, as much as healthcare professionals do, there is not that much choice.

More than 41 percent of healthcare organizations have not deployed endpoint encryption

Knowing that there is still quite some connecting to do regarding healthcare data and processes- think interoperability and healthcare data sharing for instance – the industry needs to look more at all data and information aspects, certainly regarding fair and smart use and of course security, which in the EU will become even more important with the advent of the General Data Protection Regulation (GDPR) where encryption plays a role too.

Finally, the real data revolution is just starting as more and more gets connected (biometry, sensors, the Internet of Things,…) and smarter – actionable – data offer plenty of opportunities to enable wellness health outcomes, reduce costs and find new ways to improve healthcare in all possible aspects.

Data hygiene and security in healthcare: the execution gap

There is a clear gap between what organizations want to do on an information governance, data hygiene and security level and what they actually do. This is not just a healthcare challenge, even if healthcare has lots of work in this regard as well.

In an article on, Doug Miles wrote that data leaks and security breaches pushed these issues up the corporate agenda and mentions some related consequences (reputation, litigation costs, etc.).

However, as AIIM research found, I quote, “only 10% of industry professionals have a respected and enforced information governance policy in place…21% say they have a policy in place, but it’s regularly flouted”.

Closing the security gap: the state of healthcare security

It’s a known fact that healthcare data security in general is rather poor and that the “industry” lags behind regarding security, compared to many others. It’s time to step up the game.

In a post, titled “Healthcare security stuck in Stone Ange“, Erin McCann, Associate Editor at Healthcare IT news, mentioned the need to take privacy and security more seriously, based on the results of Verizon’s annual breach report 2014. Erin interviewed Suzanne Widup of the Verizon RISK team who said this about the healthcare industry from a security viewpoint: “They seem to be somewhat behind the curve as far as implementing the kinds of controls we see other industries already implemented”.

The results from the report are clear: theft or loss of unencrypted devices are the main problem in healthcare security. There are many reasons why this is the case: lack of encryption, poorly educated healthcare workers and increasing mobility are just a few.

The need to educate workers on security, certainly in a context of consumerization and mobility, is often emphasized as one of the most overlooked was to tackle security challenges by security experts.

Healthcare data breaches – source Verizon infographic 2014 Data Breach Investigations Report – click for full infographic PDF
Healthcare data breaches – source Verizon infographic 2014 Data Breach Investigations Report – click for full infographic PDF

Buth there’s more. Security is not static: challenges, targets, hackers, cybercriminals, technology, users; they all evolve as well. In fact, the key security risks are changing. Preventing data leaks is increasingly mentioned as the most challenging security threat and the mobile workforce increasingly cited as a key source of vulnerabilities.

Let’s also not forget that mobile devices are connected and that, on top of loss or theft, malware can spread from seemingly innocent sources such as mobile email (in the UK, for instance 90% of workers clicked on a web link in an email and 66% rarely check if it’s genuine) to connected networks and systems.

Healthcare data and staff security issues to focus on

What’s to be done? In follow-up posts we’ll look at some ways to tackle the challenges but here are already a few key action points:

  • As emphasized in the box above, decision makers need to be more aware about the issues at stake and step up efforts to have their IT teams and partners tackle them. Solving problems starts by recognizing them. There are undeniable security gaps.
  • Education is a key issue. This regards both the education of “users” and of the teams, responsible for security. Hackers and cybercriminals learn from their actions, organizations should do the same.
  • Gaining an overview of the risks and different components. In an increasingly complex IT environment, it’s crucial to map the user, applications, networks, devices, systems, etc. and see how they are connected (and thus pose potentially invisible risks).
  • Making sure security gets its place in a digitization and intelligent information management approach. Health information management, EHR, etc. are about using information the right way for the right reasons, being improving healthcare. To achieve those goals, including accessibility, security is key (information governance).
  • Pick the right solutions and partners to manage health information, digitization of health records, process, etc. It starts with using the hardware, software and services to convert health documents into high-quality digital formats, captured in a reliable and secure way so the crucial information they hold can be accessed and shared appropriately, easy and safely. It also involves choosing a partner ecosystem that ensures security across all stages and processes. And it ends with the user, the key source of vulnerabilities.
  • Security everywhere but…. Encryption, secure networks and (hybrid) infrastructures, secured data: they are all important. However, security increasingly concerns the endpoint. According to the earlier mentioned Forrester post, more than 41% of healthcare organization have not deployed endpoint encryption yet. Focusing on the user deserves to be emphasized again as well here. Education but certainly also protection beyond the device level and on the user level, an area where many modern security technologies and strategies pay growing attention to.

Security comes with a cost and it’s certainly not just one of technology but also of opportunity and education. However, the costs of not stepping up security strategies in a holistic way is often far higher.

On top of that, it’s important to once more stress that the digitization of health records and of healthcare processs is not an option in a world where the population is greying.