Dealing with medical data is a very delicate process, and the consequences of error are potentially very severe. There is nothing more valuable than our health, and that should underpin everything we do. I see huge potential for disruption in the medical sector based on various innovations in technology, and that made me want to move out of fintech to focus on these new and exciting challenges.
Financial institutions have been the pioneers in compliance practices, which have helped to reduce the potential risks to individuals in cases of major data leaks. These practices include, but are not limited to, anti-fraud technologies and practical insurance policies. Financial data leaks are serious, but it is just money; health data leaks can have far more serious consequences.
Healthcare data reveals very detailed information about us, and losing control over this may lead to problems in all areas of our lives. These challenges make me feel very privileged to work on healthcare data security as CTO of doctify.co.uk.
If you want to ensure proper data handling, make sure you don’t fall foul of these common errors:
- Team structure
- Inappropriate level of permission given
It’s important to carefully define roles that are required for accessing data in your organisation and clearly identify the permissions each role has on the data. Having clearly defined roles and a list of users who have certain roles makes it easy to periodically audit permissions especially when a team member leaves.
- Lack of detailed data access audit
Assuming your roles, permissions and ACL are set correctly, and it is still important to audit your data access. Your data storage solutions need to allow you to review users who are requesting excessive data, as that could be the initial sign of a breach in your organisation.
- Poor password policy
Individual members of the organisation are the easiest target for cyber-criminals. Usually the weakest link is the use of the same password across multiple applications. As an organisation, you need to monitor quality of passwords and make sure they are not being reused. Your policy needs to enforce regular password changes.
- Lack of U2F (Universal 2nd Factor) usage
Introducing two-factor authentication into your organisation reduces the likelihood of exploitations based on phishing attacks. With two-factor authentication, authorisation does not depend solely on passwords.
- Poor training
Technologies keep evolving, but users have to evolve too. Make sure your team is up to date with recent threats, and that they know exactly whom to contact when they are suspicious about something.
- Lack of encryption of data stored in servers
Usually, there is a good level of protection when it comes to accessing data servers, but every organisation needs to look into solutions to minimise damage in the event of servers being compromised.
- Unencrypted internal communications
SSL is commonly used for communication with your mail servers, but as soon as an individual machine is compromised, any attacker has plain access to the whole communication. Your company needs to encrypt emails using solutions like PGP or S/MIME
- Mobile devices
The company needs a clear mobile devices policy. All common platforms like iOS, Android or Blackberry have very good provisioning models, allowing you to exercise fine control over permissions on the devices. If you do allow access to your company data through personal phones, you should ensure that this can be done only via U2F devices, but ideally, any such access should be limited. These rules apply equally to laptops.
- Lack of encrypted backups
An institution’s backup process is usually the weakest point in regards to data security – it’s easy to implement the process wrongly. Firstly, data needs to be encrypted, and, secondly, you need to split responsibility between two people: one person holding the key to encrypt the data, the other holding the key to decrypt the data.
- Excessive data
- Storing more data than needed
Organisations tend to have an appetite for storing more data than they need for their processes. It is a difficult process, but as part of your rules structure, permission and encryption, you need to be prepared for the possibility that all of the above can fail. Therefore, your last line of defence is for minimal data to be accessible at any single point. Make sure that your data is as anonymised as possible given your operational requirements.