Healthcare data security isn’t just about protecting confidentiality. When its integrity or availability is compromised, there is a potential risk for patients. What threats are healthcare establishments exposed to? How can they protect themselves? What are the challenges of the future? Cédric Cartau, a specialist in healthcare IT, answered our questions.
Cédric Cartau is Chief Information Security Officer (CISO) at Nantes University Hospital and also works with the GCS (Healthcare Cooperation) of the Pays de la Loire region, providing various services to healthcare establishments. He has written five books on healthcare IT, regularly posts articles on e-health blog DSIH and is in charge of IT at the EHESP, a school that trains hospital directors.
“THE MAIN CAUSE FOR CONCERN IS dATA integritY”
What are the implications of data security in hospitals?
There are three issues: data availability, integrity and confidentiality.
Let’s take an example outside the healthcare sector: if I notice a mistake when I check my bank account, it’s an error of integrity that doesn’t have drastic consequences and can be rectified. If I can’t withdraw cash due to an IT issue, that’s an availability issue, which is more annoying. But if all my financial information ends up on Google, that’s a confidentiality issue, with potentially serious implications.
The order of priority of these three issues is not the same in the banking world as in healthcare. In healthcare establishments, despite what some articles would suggest, the chief concern is not data confidentiality but data integrity.
For example: in 2004, there was a case of radiation overexposure in Epinal in eastern France. An IT error (data integrity) meant that excessive doses of irradiation were administered to patients, resulting in a number of deaths. Whereas up until now, and as far as we know, no data confidentiality breach has ever led to a person’s death.
Let’s look at availability now. If an IT system is down, for whatever reason, the consequences could be disastrous. The most recent example was in the States when the Medstar hospital chain was the victim of a cyber-attack: its IT system was paralysed for ten days by a CryptoLocker. The hospital’s IT system completely shut down and they had to send patients to other hospitals. This is an availability error: none of the data was stolen or published, the hospital just couldn’t access it. Consequently, its production system ground to a halt.
And yet security issues also vary from one area of healthcare to another. Where acute care is concerned (surgery, for example), the important factor is data integrity, followed by availability, and thirdly, confidentiality. Whereas in the field of psychiatry, for example, confidentiality is paramount.
“WHEN HEALTH DATA IS COMPUTERISED, securitY IS ALWAYS MORE critiCAL”
What exactly does the concept of healthcare data cover?
For a long time now, all hospitals have computerised three main administrative functions: payroll, economic & financial management and billing. For nearly ten years, many of them have also computerised patients’ administrative records, i.e. their identity, all the documents required for billing, etc. The majority of hospitals have also digitalised their medical records, reports and prescriptions.
With purely administrative matters, the impact of a security breach is minimal: if a software program is down for a week, it’s not really a problem because there are easy ways to get round it. And if there’s a billing error, it can be easily remedied.
But where patient records are concerned, it’s obviously more serious. After all, before medical records were computerised, no one was worried about data security. Ten years ago, there weren’t any CISOs in hospitals. But as soon as we started computerising the hospital’s core business, i.e., healthcare, people started having concerns about security, just like the banking sector did, ten or twenty years earlier.
With electronic prescriptions, we’ve reached a major milestone in terms of security. At the moment, only the larger hospitals have started doing it so their security restrictions are obviously greater. But the other hospitals will gradually follow suit.
=> Also on our blog: Saint Joseph hospital: shorter queues in accident and emergencies thanks to business intelligence
What sort of threats are healthcare establishments exposed to? What are the critical points that need to be monitored?
Where integrity is concerned, this means, for example, making sure that the dosage in a patient record is accurate. The only tools that can reduce these risks are software qualification tests which are carried out partly by the software vendors – often inadequately – and partly by the healthcare establishment: some have the resources to do this, whilst others don’t really do much about it.
Regarding availability, to remedy a hardware failure, you have to have backup equipment: if a server hosting patient records goes down, in order to start it up again quickly, you need a duplicate on the same server. This is obviously costly, in terms of the hardware but also cooling systems and electricity.
But even though the larger establishments have duplicated their data centres, the smaller ones haven’t yet. Some host their data in the cloud, but in the healthcare sector, this type of hosting has a number of limitations. You can’t just store a patient record anywhere. You have to have it hosted by an accredited healthcare hosting provider. And that’s not cheap. A small establishment providing care for the elderly with two servers will have a fairly small bill, but for a university hospital with over a thousand servers, the cost would be prohibitive.
That said, an establishment with a thousand servers often has staff to handle this and could do just as good a job as a professional hosting provider, so the cloud wouldn’t be a valid option for them.
=> Further reading: Econocom becomes a hosting provider for personal healthcare data
But server duplication only addresses the risk of hardware failure, whereas software failure is a major risk now where data availability is concerned: a bug in a patient record, a program crashing during a software update, etc.: the scenarios are endless.
“where viruses are concerned, we’re on amber alert, maybe even red.”
What my colleagues dread the most is a bug that would shut down a healthcare system. That includes viruses. At the moment, in healthcare and IT in general, where viruses are concerned, we’re on amber alert, maybe even red. The recent CryptoLockers are a good example, but virus attacks have been going on for years. In 2006, a university hospital in the west of France suffered a major attack: 30% of its IT system was out for three weeks. Luckily, they hadn’t yet computerised much of their information. If that happened today, it would be much more serious.
“YOU CAN COUNT THE NUMBER OF confidentiality ISSUES ON THE FINGERS OF ONE HAND”
Data confidentiality is very topical, but actually, you can count the number of major confidentiality incidents on the fingers of one hand. CryptoLockers don’t affect confidentiality: the aim is to lock down a system so that the data can’t be accessed.
As far as I know, the only example of confidentiality incident in France was the Labio affair in January 2015. Hackers published the data of 15,000 patients, having attempted to extort money from a group of medical labs. It is not known whether the lab paid the ransom or not, but the patient records ended up on Google. And despite the fact that the lab clearly hadn’t taken the necessary security precautions, there weren’t prosecuted.
And even this example, as disturbing as it is, didn’t involve critical data. Where confidentiality is concerned, certain areas are extremely sensitive: HIV testing, anonymous childbirth (a French law whereby women can give birth and give up their child, without revealing their identity, Ed), abortions, etc. A list of examples of top-priority confidentiality cases has been drawn up by the French Health Ministry and thus are given special treatment. For example, if a woman wishes to give birth anonymously and therefore doesn’t wish to disclose her identity, a false name is entered in the IT system. So even if the system is hacked into, the person’s true identity will be protected.
Do healthcare establishments share best practices?
The fifty-odd hospital CISOs in France –there aren’t many of us, considering there are around 1,000 hospitals – are in regular contact with Philippe Loudenot, a government IT Security Officer, who is every helpful. We also have a lot of informal discussions.
In Nantes, we’ve also set up an informal CISOs’ club, and not just in the healthcare sector, because our members include the CISOs of the Nantes City Council, the departmental council and Voyages-SNCF. Organisations and companies from different industries still have similar security issues, at least from a technical vantage.
“we can expect far more security restrictions in the future”
What sort of challenges will you have to face in the future where healthcare security is concerned?
Today, establishments are going for total computerisation: no organisation in any area of the economy has been able to escape it. When they were only computerising the administrative aspects, the security restrictions were virtually non-existent. Once we started to computerise their core business, there was a surge in security problems because there were risks for patients.
In the next 5 to 10 years, we can expect far more security issues, which will require bigger budgets, more staff and teaching best practices.
Back in 1996, in a hospital like Nantes university hospital, there were about 2,000 or 3,000 PCs. 20 years later, there are 8,500 computers and 12,000 agents. According to my forecasts, by 2020, there will be more devices (PCs, tablets and smartphones) than agents. Because we won’t stop there: we’ll continue to deploy: everyone will have at least a PC, a tablet, a smartphone… or more!
So it’s a logical progression: when we didn’t have many computers, we didn’t need to implement security, so the more devices there are, the more critical security is.
“WE SHOULDN’T WAIT UNTIL THE HORSE HAS BOLTED TO CLOSE THE GATE”
What happens far too often in France, whether it’s road safety, civil security or even nuclear safety, we tend only to close the gate once the horse has bolted, despite the fact that experts have been warning us for years. We mustn’t make the same mistake with healthcare data security: we don’t want to wait until we see on the news that a software failure has led to a major accident like in Epinal. It could happen again tomorrow. A few rules have been implemented for radiotherapy, but in a number of other areas which have also gone digital, no preventive measures have been taken to avoid this.
=> Also on our blog: Alexis Normand, Withings: the IoT market exploded in 2015