Digital healthcare records come with enhanced responsibility for protecting patient data

The City of Joburg announced in September 2015 that it would be spending some R300m over 18 – 24 months to digitise all patient hospital and healthcare records and make them available through a central system.

Medical aid providers like Liberty and Discovery are already using integrated medical systems that record and store patient information paperlessly, and make them available, with the patient’s consent, to healthcare providers who need them.

The move to digitise healthcare systems will result in reduced costs for providers, streamline workflows and processes and result in faster access to critical information. It does, however, come with increased security risks.

In the United States, the healthcare sector has the highest number of data breaches this year compared to other sectors. Patient information is valuable to criminals, who can use the data to commit healthcare fraud by creating fake records which can be used to submit bogus claims or acquire pharmaceuticals and equipment to resell. It is estimated in the US that healthcare data is worth 10x credit card data.

South Africa is no different to the rest of the world in that cyber-criminals target information systems to steal data – including documents containing personal details and confidential patient information. For South African companies and state organisations looking to digitise these documents,the security risks should not act as a deterrent to transformation. Properly implemented, digital documents can actually offer security advantages over paper, including that they are harder to steal, cheaper to store and less vulnerable to other threats like fires.

Organisations embarking on a record digitisation process should consider the following when adopting a digital strategy:

Control access at document level

A digital document management solution should offer multiple layers of access control that enable the organisation to compartmentalise and restrict access to different patient documents.Seniority or clearance should dictate what functions various employees can perform on a document: view, download or share. As an example, certain private patient records can be password protected so that if, for example, a customer requires a copy, a call centre agent can send it on when requested, without being able to view the details of that document.

Provide ongoing education

The easiest way for criminal to breach security and access a repository of confidential documents is by tricking or compromising an employee. In a call centre environment, which suffers from high employee turnover, this risk is compounded. Be sure that all employees, and particularly call centre and other front line agents, understand and operate by the company’s security guidelines when it comes to accessing and sharing patient documents. Constantly reinforce that employees should never click on links or open documents from an unknown source as this is a common method used to install malicious software that effectively puts hackers inside the secure network.

Use multiple layers of protection

As cybercriminals continue to get smarter, traditional network and database security is not sufficient. To truly secure a patient’s documents, multiple security layers are required, to the point of encrypting and protecting each individual document even if it resides on a secure network. This also ensures that information sent via email between an organisation and patient cannot be compromised if intercepted or sent to the wrong recipient. It also protects the document:

• against unauthorised access from someone inside the network;
• if a call center agent doesn’t have sufficient rights to view patient information;
• if a compromised employee or a hacker is using stolen, but valid credentials.

Help patients secure their documents

Make it a policy never to send or store unprotected documents containing confidential information. An emailed or downloaded document gets saved automatically on certain devices and if unprotected, is vulnerable if the device is hacked. Assist patients with safeguarding their information even when it resides on their own computer by distributing only encrypted and protected files and train call center staff to let patients know the importance of this protection.

Enforce a strong password policy

In order to secure patient documents from all vulnerabilities, a strong password approach is essential. This applies to the password employees use to access internal systems, the one a patient uses to log onto a self-service portal, or even the password used to open an individual document. If the password is weak, all other security is bypassed. Educate both employees and patients on the value of using only strong passwords and the risks of using easily cracked passwords such as ‘123456’, ‘abc123’ or ‘password’.

The digitisation of healthcare documentation offers too many benefits for providers not to take advantage. By ensuring that patient correspondence is protected at all times, the healthcare industry can reap the benefits of digital transformation, while still mitigating the risks.