How to Secure Electronic Health Data on Cloud?

Introduction

According to a report by Markets and Markets’, the global market for healthcare cloud computing will reach USD 89.4 billion by 2027 from USD 39.4 billion in 2022, at a CAGR of 17.8%. The adoption of EHR, mHealth, telehealth, and other IT solutions due to COVID-19 are the main drivers for the growth in the cloud computing healthcare market. The increasing cloud deployment, adoption of big data analytics, cost-effective, scalable, flexible, and efficient data storage and access solutions of cloud computing accelerates the healthcare industry’s growth. Despite the many benefits of cloud computing, data security and privacy is a major concerns and restrict growth to a certain extent.

We will discuss the security breaches for the adoption of the cloud in the healthcare industry and solutions to address these concerns.

What is Electronic Health Record?

Electronic Health Record (EHR) is patient-centric, digital information that is easily and securely accessible to authorized healthcare providers. EHRs mainly contain a patient’s medical history, diagnosis data, treatment plans, immunization schedules, laboratory reports, allergies, radiology, and medication details. EHRs are implemented under the national health authority, responsible for maintaining patients’ medical and treatment history and providing support to other healthcare services like pharmacies, pathology labs, and insurance agencies.

Figure 1: A simple Electronic Health Record System

(source: Al Hajeri, Amani. (2011). Electronic Health Records in Primary Care: Are we ready?. Bahrain Medical Bulletin.)

Types of Electronic Health Record Systems:

Based on the medical practitioner’s requirements, there are different ways to configure EHR systems. It is broadly categorized into three types: Physician-hosted, remotely hosted, and Remote Systems, as shown in Figure 2. In physician-hosted systems, patients’ data is hosted on the physician’s own server. The provisioning of hardware and software, their security, and maintenance is the responsibility of the physician itself. It gives fast access to data and is beneficial for larger practices. Whereas in the remotely hosted system, data is stored with a third party, and the practitioner will get access to the information whenever required, eliminating provisioning, maintenance, and security of IT resources. The remote system is further categorized into three: subsidized, dedicated, and cloud. In a subsidized system, the physician involves with an entity like a hospital that subsidizes the cost of the EHR system. This leads to legal issues such as data ownership and trust. A dedicated system is managed by a vendor on dedicated hosts and gives remote access to physicians. Whereas in a cloud-based system, data is stored remotely and accessed over the internet. Physicians can be able to access data anytime from anywhere.

Figure 2: Types of EHR Systems

EHR systems are further categorized on type of treatment: inpatient or outpatient. In inpatient treatment, EHR systems integrate data from all the departments within a single hospital, whereas in outpatient treatment, patients visit different physicians, labs, etc., and need to pull data in the EHR system. Figure 3 gives the top five inpatient vendors of inpatient EHR systems.

Figure 3: Inpatient EHR vendor market share.

(source: https://mobius.md/2022/01/04/top-5-ehrs-on-the-market-in-2022/)

Advantages of Electronic Health Records:

EHRs provide better care to patients by providing:

• Quick and coordinated access to patients’ history
• Up-to-date and accurate information about the patient
• Convenient health care support to the patient
• Securely sharing patients’ information with patients, healthcare providers, and researchers.
• Reduced cost, improved productivity, and provided support for legal and correct documentation.

Role of Cloud Computing in the Healthcare Industry

In the era of cloud computing, anyone can access IT resources and facilities anywhere, anytime with a pay-as-you-go model. Many organizations and businesses have got benefited due to the early adoption of cloud computing. Evolving organizations and industries like healthcare can anticipate a cloud-based model to collaborate, communicate and coordinate among different healthcare providers like hospitals, pathology labs, pharmacists, doctors, nurses, and insurance. This will replace the traditional paper-based healthcare system with an automated computerized cloud healthcare system. During the Covid-19 pandemic, it was observed that digitization of patients’ health records could help in online diagnosis as well as patients get better treatment due to up-to-date records and continuous interaction with healthcare providers. The integration of patient-centric data on the cloud leads to security and privacy concerns for patients and healthcare providers.

Threats to Electronic Health Data on the Cloud

In 2021, the U.S. Department of Health and Human Services traced 618 breaches and cyberattacks affecting at least 500 people. According to IBM, data breach costs increased from USD 3.86 million to USD 4.24 million, which is the highest average total cost in the 17-year history.

Figure 4: Healthcare Records breached in the past 12 Months

(source: https://www.hipaajournal.com/april-2022-healthcare-data-breach-report/)

According to the HIPAA journal on healthcare data breach, 22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The number of data breaches reported in April 2022 is comparatively less compared to October 2021.

The top 5 threats against Electronic Healthcare Records are Phishing Attacks, Malware & Ransomware Attacks, Encryption Blind Spots, Cloud Threats, and Employees.

 A. Phishing Attacks: It is a type of social engineering attack where an attacker tries to steal credit card and user credentials details by pretending as a trusted authority. An attacker deceives the target to open the email, link, or text message.

Figure 5: Phishing Attack

(source: https://www.simplilearn.com/tutorials/cryptography-tutorial/what-is-phishing-attack/)

B. Malware & Ransomware Attacks: Malware is “malicious software” designed to infect or disrupt computers by sending files or code over a network. Malware includes viruses, ransomware, spyware, and other malicious software that gets secretly installed onto your system. Ransomware is one kind of malware that restricts or prevents users from accessing their systems, either by locking users’ files or screening until a ransom is paid to the attacker. Ransomware is further categorized as crypto-ransomware, file encryption, and forcing to pay ransom online to retrieve the decryption key. The ransomware is very much dangerous for hospitals and healthcare providers who store up-to-date data of patients to provide better health care.

C. Encryption Blind Spots: Encryption techniques are basically designed to protect data, but attackers use encrypted channels to propagate and update the malware. Attackers can be able to use the encrypted blind spot to hide and avoid the detection and execution of malware. It is necessary to strengthen the encryption techniques and control and management of secret keys used in cryptographic operations.

D. Cloud Threat: The healthcare industries are developed using cloud computing to provide better health care to patients. But along with the benefits of cloud computing, it also increases the security threat associated with it. It is necessary to securely store, access, and share patients’ data among healthcare providers.

E. Employees: Insider attacks are one of the major concerns in the healthcare industry. Insider threats are caused intentionally by disgruntled employees or intentional. It is recommended to educate and train all healthcare providers, adhere to the principle of least privilege, and incorporate auditing and monitoring controls.

Preventive Measures

To protect the EHR system against a phishing attack, educate healthcare providers about the phishing attack, do not open emails, messages, and links received from an unknown entity or suspicious sites, and verify requests before sharing any data. The preventive measures against ransomware attacks include backup your data on a regular basis, performing regular risk assessments, validating firewalls that protect the EHR system network, and providing training to all employees on information security.

Healthcare providers should consider common strategies to strengthen the cybersecurity of their EHR systems are:

• Evaluate risk associated or operational vulnerability associated with critical health records before an attack.
• Incorporate multi-factor authentication and use VPN to countermeasure against a ransomware attack.
• Apply security at each layer so that risk of an attack can be mitigated before it harms the patient’s confidential data.
• Use Email security software to mitigate phishing attacks by filtering URLs and attaching a sandbox.

Incorporate proactive practices by hiring Cyber Threat Hunters who will track, detect and prevent potential cyber-attack.

Conclusion

Adoption of cloud computing in the healthcare industry to maintain, store, share, and access patients’ data from various healthcare providers helps physicians to improve patient care. EHR on the cloud gives quick and secure access to data at any time from anywhere to the physician and enables to give online treatment. Despite several benefits of EHR on the cloud, security and privacy of data are major concerns. Here we discussed the security breaches and their corrective measures for EHR on Cloud.

About CloudThat

CloudThat is the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge on the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

WRITTEN BY Rashmi D

Rashmi Dhumal is working as a Subject Matter Expert in AWS Team at CloudThat, India. Being a passionate trainer, “technofreak and a quick learner”, is what aptly describes her. She has an immense experience of 20+ years as a technical trainer, an academician, mentor, and active involvement in curriculum development. She trained many professionals and student graduates pan India.