By Alex Pezold
The data medical devices contain and the critical nature of health care services are major risks to the health care industry. Consider, for a moment, the sensitivity of the data health care organizations hold today: Information about treatments, finances, and people—all of this data is very sensitive and private to each individual. Should attackers breach such data, it could have very negative outcomes for the patient.
To bring this to a personal level, imagine you have a diagnosis that you don’t want anyone but your family knowing about. Now, imagine you get an email from some nefarious person telling you that they know about your diagnosis and will share it with the world unless you pay them. That’s a very real threat and an unsettling reality in the health care industry. Of course, payment information and theft of your Social Security number will most likely result in inconvenience, but having your personal health information used to hold you ransom—that’s just unfair.
What we’re seeing today with health care organizations like Los Angeles-based Hollywood Presbyterian Medical Center, for example, is that attackers have learned that if they go to the source—newly implemented health care management systems such as electronic medical record software—they can get a bigger carrot. Reading through the outcome of the Hollywood Presbyterian attack, patients and staff alike were basically held hostage until a ransom was paid. What this means is that a person or group was able to render the electronic toolsets used at Hollywood Presbyterian absolutely useless, unless they were paid a ransom. And that’s a very unsettling thought.
The challenge is that health care facilities aren’t information security specialists. Of course, in this day and age, health care organizations have information security staff. Unfortunately, trying to secure and lock down all of the federated resources health care systems have today is no small task.
Imagine a health care system that has a hospital, research labs, minor emergency clinics, and other related services. Now, imagine that all of these entities have completely different systems because they’re servicing different functions for the health care system. Securing all of these resources takes time and money—both of which are not readily available within the health care industry as its core competency is health care, not preventing the next zero-day exploit.
All of this, combined with the continued emergence of electronic records, means many health care providers are falling short when it comes to truly securing personal data. And hospitals that rely only on encryption or simple network perimeter security may be lulled into a false sense of protection. Plus, with data privacy law changes—such as the Health & Human Services’ federal regulations, updated HIPAA stipulations, Federal Trade Commission regulations, and tough individual state laws that are emerging—it can be detrimental to a practice not to truly examine how their data is secured.
To combat hacking, health care providers are deploying data security technologies that render data useless if stolen. One key way to achieve this is through tokenization, which manipulates data so that it’s still useable by doctors and nurses, but unable to be tied back to the individual patient. If tokenized data is stolen, it’s useless to a thief because it is out of context with no way to utilize it outside of the originating environment. In conclusion, tokenization is an effective measure to protect health care facilities against both cyber thieves and accidental losses caused by internal mishandling.
Alex Pezold is CEO and cofounder of Edmond, OK-based TokenEx.