ICTpost Health IT Bureau
This year, in the first week of January, there was a story about how details of COVID-19 test results of tens of thousands of patients were leaked on the net through multiple Government of Delhi domains (delhigovt.nic.in/delhi.gov.in/revenue.delhi.gov.in). Websites of multiple Indian government departments, including national health and welfare agencies leaked COVID-19 lab test results for thousands of patients online.
The online personal medical information are opening up new avenues for hackers to expose personal data that, unlike financial information, it can result in a permanent violation of privacy.
For example, a physician logging into an online portal via his laptop to access patient data uses an application to read that information; the application has access to the keys to decrypt the information. Hackers write malware that infects applications and waits for them to decrypt data, which then gives them clear access to the health data.
The malware sits on the doctors laptop, waits for him to log in … and the malware is reading the data at the same time the doctor. They did not need to log in on your behalf. They did not need to crack passwords. They did not need to go to the hard drive and decrypt the data. They sat in the middle of the application.
Privacy, Security and Responsibility
Some health care facilities — academic medical centers, for example — might develop their own portals and must assume responsibility for building in privacy and security controls. But many health care providers will turn to vendors for help in deploying portals. EHR vendors often include portal technology as part of their systems.
For a health care provider invested in an EHR system, it becomes a pretty natural add-on to stick with the same vendor for the portal part.
Overlooking data storage protection
Officials need to understand where healthcare data exists when it is created, used, stored and transmitted. When healthcare data flows through a hospital and outside the hospital to pharmacists, specialists and healthcare professionals it is easy to forget about where the data might wind up. Often, officials implement rules for data sharing and its usage but they forget the last step, data storage. When officials do not think about where the data goes it causes problems.
Securing the Portal
- User Authentication — If you are going to provide good access control, there has to be a way on the portal for patients to authorize uniquely to the portal, such that they are only looking at their own information and not somebody else’s.
- Secure Transport — A portal that allows users to download information must provide a secure, encrypted connection between patient and portal. This is often accomplished through a virtual private network (VPN) or a gateway that’s part of the provider’s network.
- Auditing and Integrity Control — Providers need to be able to audit what a user has done with the information obtained through a portal — what they have looked at and what they have changed. If a patient is able to enter or alter his or her health data, integrity control provides a way to verify the information. The health record linked to the portal retains a patient’s previous data so they can be compared with the new data. If a patient with a penicillin allergy inadvertently changes the health record to indicate no such allergy, the system can flag the problem.
