Data Security Challenges in Health Technology

Dealing with medical data is a very delicate process, and the consequences of error are potentially very severe. There is nothing more valuable than our health, and that should underpin everything we do. I see huge potential for disruption in the medical sector based on various innovations in technology, and that made me want to move out of fintech to focus on these new and exciting challenges.

Financial institutions have been the pioneers in compliance practices, which have helped to reduce the potential risks to individuals in cases of major data leaks. These practices include, but are not limited to, anti-fraud technologies and practical insurance policies. Financial data leaks are serious, but it is just money; health data leaks can have far more serious consequences.

Healthcare data reveals very detailed information about us, and losing control over this may lead to problems in all areas of our lives. These challenges make me feel very privileged to work on healthcare data security as CTO of doctify.co.uk.

Common challenges

If you want to ensure proper data handling, make sure you donโ€™t fall foul of these common errors:

  • Team structure
    • Inappropriate level of permission given

Itโ€™s important to carefully define roles that are required for accessing data in your organisation and clearly identify the permissions each role has on the data. Having clearly defined roles and a list of users who have certain roles makes it easy to periodically audit permissions especially when a team member leaves.

    • Lack of detailed data access audit

[easy-tweet tweet=”Individual members of the organisation are the easiest target for cyber-criminals.” hashtags=”Cyber-criminals, Cloud “]

Assuming your roles, permissions and ACL are set correctly, and it is still important to audit your data access. Your data storage solutions need to allow you to review users who are requesting excessive data, as that could be the initial sign of a breach in your organisation.

    • Poor password policy

Individual members of the organisation are the easiest target for cyber-criminals. Usually the weakest link is the use of the same password across multiple applications. As an organisation, you need to monitor quality of passwords and make sure they are not being reused. Your policy needs to enforce regular password changes.

    • Lack of U2F (Universal 2nd Factor) usage

Introducing two-factor authentication into your organisation reduces the likelihood of exploitations based on phishing attacks. With two-factor authentication, authorisation does not depend solely on passwords.

    • Poor training

Technologies keep evolving, but users have to evolve too. Make sure your team is up to date with recent threats, and that they know exactly whom to contact when they are suspicious about something.

  • Encryption
    • Lack of encryption of data stored in servers

Usually, there is a good level of protection when it comes to accessing data servers, but every organisation needs to look into solutions to minimise damage in the event of servers being compromised.

    • Unencrypted internal communications

SSL is commonly used for communication with your mail servers, but as soon as an individual machine is compromised, any attacker has plain access to the whole communication. Your company needs to encrypt emails using solutions like PGP or S/MIME

[easy-tweet tweet=”All common platforms like iOS, Android or Blackberry have very good provisioning models” hashtags=”iOS, Android”]

    • Mobile devices

The company needs a clear mobile devices policy. All common platforms like iOS, Android or Blackberry have very good provisioning models, allowing you to exercise fine control over permissions on the devices. If you do allow access to your company data through personal phones, you should ensure that this can be done only via U2F devices, but ideally, any such access should be limited. These rules apply equally to laptops.

    • Lack of encrypted backups

An institutionโ€™s backup process is usually the weakest point in regards to data security – itโ€™s easy to implement the process wrongly. ย Firstly, data needs to be encrypted, and, secondly, you need to split responsibility between two people: one person holding the key to encrypt the data, the other holding the key to decrypt the data.

  • Excessive data
    • Storing more data than needed

Organisations tend to have an appetite for storing more data than they need for their processes. It is a difficult process, but as part of your rules structure, permission and encryption, you need to be prepared for the possibility that all of the above can fail. Therefore, your last line of defence is for minimal data to be accessible at any single point. Make sure that your data is as anonymised as possible given your operational requirements.

 

+ posts

Marek Wawro is CTO at doctify.co.uk, working with outstanding engineers to connect patients with the bests doctors in London and across the UK. Previously, Marek co-founded disruptive fintech startup azimo.com.

Unlocking Cloud Secrets and How to Stay Ahead in Tech with James Moore

Newsletter

Related articles

Four Surprising Lessons I’ve Learned Leading Tech Teams

Techies. Geeks. Boffins. Whatever your organisation calls its IT...

A Business Continuity Cheat Sheet

Right, let's be honest. When you hear "business continuity,"...

Challenges of Cloud & Ultima’s Solution to Transform Business

With the way that AWS and Microsoft dominate technology...

Data privacy concerns linger around LLMs training

We have all witnessed the accelerated capabilities of Large...

Securing Benefits Administration to Protect Your Business Data

Managing sensitive company information is a growing challenge. Multiple...