Digitization in Healthcare and Insurance

Over the past two decades, industry digitization trends have accelerated at an exponential rate. The technological advancements of network-enabled devices, innovative applications, and universal accessibility to the internet have pushed all generations to access and transact over the web.

With universal access to new technology, there was a race to secure information and access to that information. Unfortunately, not all industry sectors advanced in the digitization process at the same pace. According to a McKinsey Industry Digitization Index1, Healthcare found itself at the bottom of the list. Due to its inability to keep up with the pace of technology, some healthcare regulations became obsolete and do not address current situations in the digital world.  

Regulations and Security Frameworks evolution

The most known regulation in US healthcare, HIPAA, dated from 1996, falls short of addressing current cyber threats and data privacy at the depth seen in 29 currently enacted data laws. (Compiled by Spirion, a list of U.S. state data protection laws enforceable in 2020 lists 29 laws2).

To bridge the gap between HIPAA and recent data laws, the healthcare and insurance industry is adopting one of the two security frameworks, NIST CSF or ISO 27001. While both NIST and ISO frameworks are comprehensive in covering all stages of cyber risk preparedness and response, they are not healthcare specific and lack implementation prescriptiveness.

Budget shortfalls make healthcare and insurance sectors among the most vulnerable

The primary function of healthcare is to care for patients. With tight budgets, healthcare chooses to direct more spending on patient care, than protecting patient information. According to Mackenzie Garrity3, in 2018, IT security budgets for the healthcare sector spent 50% less than IT in the financial sector. A lesser focus on data protection equates to accelerated data breaches and occurrences of potential fines imposed by regulatory agencies. Most attention captured by the media describes data breaches related to financial sectors and entertainment & hospitality, yet out of the 16 largest data breach fines across all industry sectors, 30% were paid by industries related to healthcare and insurance4. 

Simplify and streamline: improving security posture while preparing for future regulations

With strained budgets and increased cyber threats, healthcare and insurance sectors struggle to implement the right balance of mitigation factors to improve their cybersecurity posture. The two frameworks that are largely followed: NIST CSF cybersecurity framework and ISO 27001, are often overwhelming to smaller entities and require substantial help from consulting services, adding to the strain on already tiny budgets. On top of the implementation struggles, healthcare and insurance sectors likely need to expect a slew of new regulations addressing critical infrastructure protection of healthcare and the privacy of patients’ data.

By analyzing current trends in cybersecurity threats and upcoming data laws, we can assume that strengthening our focus on access controls and data protection will prepare healthcare and insurance sectors to weather new data privacy regulations and protect against future data breaches. 

EgisData to control access and protect your assets: influence your bottom and top line

The EgisData platform developed by Egisdata.com, a startup company, focuses solely on the two factors described above: access controls and data protection. Both frameworks, NIST CFS and ISO 27001, list Access Control and Data Protection as components in compliance with these frameworks. The EgisData controls employ a NIST compliant Attribute-Based Access Control policy engine (ABAC) while integrating a Secrets Vault to manage encryption keys for data encryption. The combination of both is so powerful, that each patient’s individual record can be protected by a unique encryption key. Implicit access to the keys (read: encrypted record) is controlled by human-readable Access Policies.

Here is the list of main benefits:

• The integration with current IT systems is very simple and requires no knowledge about cryptography, access control details, or advanced coding. The cost of implementing and supporting the EgisData solution in comparison to the use of Identities Access Management (IAM) and Hardware Security Modules (HSMs) is on average, 10x less expensive.

• Another benefit is streamlining complex interactions between parties in inpatient care workflows. Currently, most healthcare providers and insurances share information in encrypted bulk loads. When data is encrypted in bulk, there are great difficulties in restricting access to confidential information by records, based on individuals or small groups. EgisData implements NIST ABAC, thus individual records can be shared per assigned access policies.

• The new cryptographic functions and advanced architecture of EgisData open opportunities to develop new products, such as secured data sharing between parties, capturing patient consent, and implementation of advance directives.

• Lastly, since Egisdata uses NIST compliant strong encryption and auditable access control, the solution can lower cybersecurity costs and de-risk potential penalties for breaching PII and PHI. 

Conclusion

During the past several years, data breach incidents have intensified. In response, state and local governments have begun enacting various laws to ensure enterprises of all sizes protect data and critical infrastructure. The last major healthcare regulation, HIPAA, was released more than 2 decades ago. Thus, we should expect Congress to overhaul regulations to address current cyber threats to infrastructure and patient privacy.

It is also expected that new regulations would bolster patient data privacy rights, better tracking of patient consent, and ensuring secure data sharing. Investments in IT, especially in Access Control and Data Protection, will prepare any healthcare and insurance organizations to strengthen current cybersecurity posture and prepare for future regulatory requirements.

EgisData has a solution that moves any organization closer toward NIST CSF and ISO 27001 compliance. The solution has low implementation and operation costs while opening the possibility of developing new products based on secure data sharing. 

Works Cited

1.     Gilbert, Greg et al. “ Digital is reshaping US health insurance – winners are moving fast” McKinsey’s Industry Digitization Index

2.     Spirion. “New U.S. State Data Protection Laws Enforceable in 2020”,

3.     Garrity, Mackenzie. “5% of hospital IT budgets go to cybersecurity despite 82% of hospitals reporting breaches”,

4.     Swinhoe, Dan.  “The biggest data breach fines, penalties, and settlements so far”, CSO