Mitigating Analytics Risk: Essential Health Care Data Security Requirements and Questions
by Daniel Humphries, Market Research Associate
October 5, 2015
It’s no surprise if health care organizations are concerned about the security of the technology they use. After all, earlier this year, insurance plan provider Anthem suffered a breach that compromised the records of 80 million individuals. A few months later, researchers at the University of Washington in Seattle managed to hack into and seize control of a remotely operated surgical robot.
But what if this concern is preventing health care providers from adopting tools that could help reduce costs and improve treatment? This may be the case when it comes to data analytics.
Indeed, says Southard Jones, VP of product strategy at BI software vendor Birst: “Security and compliance is probably the one of the biggest hurdles to overcome in engagement with [health care providers].”
Many providers are especially wary of any solution that operates independently of their own servers. For Birst, a cloud-based vendor, these concerns are especially acute. However, all analytics software vendors must provide reassurances to buyers, as their tools will be accessing confidential patient information—perhaps even blending it with other data sources.
So, what are buyers to do when it comes to ensuring the security of the system they choose?
Think Beyond Compliance
First, it is important that providers go beyond compliance. Merely ascertaining that a particular solution checks all the right boxes to meet HIPAA requirements may not be enough.
After all, as cybersecurity expert Rick Doten puts it, “compliance does not mean you are secure.”
Worse, as Darren Guccione, CEO of security firm Keeper Security points out in a recent article, the most recent HIPAA rulemaking went into effect March 2013—“a lifetime in the cybersecurity world.” A software product that simply meets these requirements is not exactly up-to-date.
Guccione adds: “[E]ven when the HIPAA rules governing cloud services were established, there was nothing that said the data held in the cloud had to be encrypted. In short, HIPAA puts the onus of security on the provider, not the cloud service.”
Elements of Risk
Buyers who want to go beyond box-ticking when assessing the security of a BI platform should keep in mind protection of the infrastructure and the data flow, says Doten.
“This is why many organizations are worried about cloud services, in particular,” he says. “They feel they don’t have visibility or control over data protection, or that it may be a compliance violation if their protected data is outside their infrastructure."
Buyers should focus their search on mature software vendors that understand data security and privacy requirements, says Doten. Such vendors will have certifications on their infrastructures and platforms.
In fact, he adds, such vendors are probably a better bet than keeping everything in-house and on-premise, since “their entire organization is dedicated to securing the operations of this infrastructure, whereas most health care companies have much smaller and less specialized IT departments. And if data protection is managed by a few underqualified, overworked IT staff members, then where is the greatest risk?”
Essential Requirements, Certifications and Documents
When assessing a software vendor, buyers should provide them with a list of security requirements—then validate that the vendor can not only meet them, but also provide transparency to complying with them over time, says Doten.
What does this mean in practice? Doten suggests the following:
Provide requirements for data protection. This means platform security configurations, use of encryption at rest and in transit and entire life cycle security (e.g., backups and data disposal).
Ask for evidence. The vendor should provide proof of certifications (such as ISO, HIPAA, SOC 1 and 2 and Safe Harbor) as well as risk and vulnerability assessment reports or results.
Understand their commitment to security. Obtain documents or talk to operations leads about how they manage their systems, and ask for examples of how they handled it when things went wrong.
Vendors that understand security is a business differentiator “are the ones you should seek out—not the cheapest,” Doten points out. He adds that any reputable software provider should have the above information readily available.
Six Probing Questions to Ask Software Vendors
We also asked Georgi Moskov, head of security assessment and technology at security firm Whispering Bell, to provide us with some tough questions to ask of a potential software vendor, going beyond the basics of firewalls and network segmentation.
If a vendor can’t answer these, then it is a sign that you should probably be looking elsewhere:
When was the last penetration test from an independent consultant performed, and can you share the results?
Is all the data stored on internal servers, or are you using a cloud or third-party solution?
In case data is stored externally, how do you guarantee data security in the event of a disgruntled cloud-service employee? And how do you ensure secure disposal of cloud service hardware (say, a misbehaving hard drive loaded with patient data)?
Does your solution incorporate auditing logs, and does it track each and every request by users viewing patient data? Have you implemented an algorithm to alert you if a user starts looking through patient data without actually working on a specific case (for example, if a celebrity is being treated in the hospital and staff are curious about her condition)?
Is patient data encrypted while in storage and in transit over different networks? How do you ensure patient data is not accessible to super-user IT staff (for example, backup and network administrators)?
Does the product implement data loss prevention mechanisms? What are the ways to export data, is the data encrypted and are the details of this action logged?
There are many other tools available to help health care organizations transform data into actionable insights. Buyers should always carry out their due diligence when considering a platform—but should not let security concerns dissuade them from adopting what could be a very useful tool.
If you’re ready to take the next step in adopting one of these tools, what can you, as a buyer, do next?
Finding a trusted resource for choosing software can help. Our team of Software Advisors has expert knowledge of over 40 BI platforms, and has assisted more than 1,000 buyers in finding solutions that are right for them.
Here are four things you can do right now:
Read reviews of BI tools written by actual users, and find out what peers think of different platforms.
Talk with a Software Advice BI expert, who can provide free product and pricing information and connect you with the BI software that is best for your business.
Try out a BI solution with a free demo.
Download our free e-book, "How Big Data and Health Care Analytics Reduce Costs and Improve Care: 5 Use Cases."
Follow these steps, and the powerful insights that BI and analytics platforms offer healthcare organizations could be yours.